Brighton pays data breach fine

Brighton and Sussex University Hospitals NHS Trust has paid a fine of £260,000 after a contractor sold hard drives containing patient information on eBay.

In June this year, the Information Commissioner’s Office issued the trust with a record-high fine of £325,000 for breaching the Data Protection Act.

The trust told eHealth Insider at the time that it “simply cannot afford to pay” and it would appeal to the Information Tribunal.

However, the trust’s annual report for 2011-12 says a reduced fine of £260,000 has been paid. Fines are reduced by 20% if paid within a certain time frame.

The report says the trust made “extensive written and oral representations on the notice of intent” issued in May, but paid the fine in June.

The breach occurred after a contractor that the trust paid to destroy hundreds of hard drives, containing sensitive patient information, instead sold them on eBay.

The annual report says that the hard drives were sold by a person whose company had been engaged by the Sussex Health Informatics Service to destroy them.

“All of the drives were recovered or otherwise accounted for and [the trust] remains confident that no patient identifiable data entered the public domain.

"[Brighton and Sussex’s] membership of the Sussex HIS concluded at the end of the 2011-12 financial year,” it adds.

“As part of bringing ownership of IT services back in-house, which took place on 1 April 2012, [the trust] has taken appropriate steps to strengthen the processes relating to the disposal of redundant hard drives.

"[This includes] a stringent due diligence process for the engagement of contractors in the wiping and disposal of redundant hard drives.

“Through the internal auditors, the audit committee will be ensuring that the trust’s information governance arrangements are subject to a rigorous process of continuous improvement and that appropriate training continues to be provided to staff in addition to that which is given during the induction process.”