An NHS trust has been fined £325,000 by a data protection watchdog after highly sensitive files of tens of thousands of patients, including details of HIV treatment, ended up being sold on eBay.
Brighton and Sussex University Hospitals NHS Trust was given the penalty because it failed to ensure hard drives containing the information were wiped after they were handed over to a contractor.
The fine from the Information Commissioner’s Office (ICO) is the highest issued by the watchdog since it was granted the power in April 2010.
The Trust’s IT service provider, Sussex Health Informatics Service (HIS), was tasked to destroy information on around 1,000 hard drives in September and October 2010 that were held in a room accessed by key code at Brighton General Hospital.
But they handed the job over to an unnamed individual sub contractor who did not wipe the drives and he took at least 252 out of the hospital and 232 of them found their way on to the internet in October and November 2010.
He was arrested by police but no charges were brought over the incident, the trust said.
The highly sensitive personal data included details of patients’ medical conditions, such as sexually transmitted diseases and treatment, disability living allowance forms and children’s reports.
It also included documents containing staff details like National Insurance numbers, home addresses, ward and hospital IDs, and information referring to criminal convictions and suspected offences.
Yesterday the trust said it disputed the ICO’S finding and said it would appeal. It said it had recovered all the disks and no information had got into the public domain and it could not afford the fine.
The breach of data protection was discovered when a data recovery company bought four hard drives from a seller on eBay in December 2010, who had purchased them from the sub contractor.
It alerted the authorities and initially the ICO were told four hard drives were affected.
But then a university contacted the ICO in April 2011 to say that one of their students had purchased trust hard drives via the internet auction site.
The ICO said the trust has been unable to explain how the individual removed the hard drives they were supposed to wipe from the hospital during their five days on site as he was supervised and did not know the code for the door.
The trust said: “We simply cannot afford to pay a £325,000 fine and are therefore appealing to the Information Tribunal.”