AMI

NHS Trust fined £325,000 following major data breach

Brighton and Sussex University Hospitals NHS Trust has been served with a Civil Monetary Penalty (CMP) of £325,000 following a serious breach of the Data Protection Act (DPA), the Information Commissioner’s Office (ICO) said today.

It comes after the discovery of highly sensitive personal data belonging to tens of thousands of patients and staff – found on hard drives sold on an Internet auction site in October and November 2010.

The data included

  • Patients’ medical conditions and treatments
  • Disability living allowance forms and children’s reports.
  • Documents containing staff details such as National Insurance numbers, home addresses, ward and hospital IDs, and information referring to criminal convictions and suspected offenses.

The data breach occurred when an individual engaged by the Trust’s IT service provider, Sussex Health Informatics Service (HIS), was tasked to destroy approximately 1000 hard drives held in a room accessed by key code at Brighton General Hospital in September and October 2010. A data recovery company bought four hard drives from a seller on an Internet auction site in December 2010, who had purchased them from the individual.

Although the ICO was assured that only these four hard drives were affected, in April 2011 a university contacted them and advise that one of their students had purchased hard drives via an Internet auction site. An examination of the drives established that they contained data which belonged to the Trust.

The ICO’s Deputy Commissioner and Director of Data Protection David Smith said:

“The amount of the CMP issued in this case reflects the gravity and scale of the data breach. It sets an example for all organisations – both public and private – of the importance of keeping personal information secure. That said, patients of the NHS in particular rely on the service to keep their sensitive personal details secure. In this case, the Trust failed significantly in its duty to its patients, and also to its staff.”

The Trust has now committed to providing a secure central store for hard drives and other media, reviewing the process for vetting potential IT suppliers, obtaining the services of a fully accredited ISO 27001 IT waste disposal company, and making progress towards central network access.

Link to article on the ICO webpage: http://www.ico.gov.uk/news/latest_news/2012/nhs-trust-fined-325000-following-data-breach-affecting-thousands-of-patients-and-staff-01062012.aspx

 

 

About Us

We are the secure IT retirement service provider that generates highest possible revenue back for customers from the ultra-safe recycling of old IT assets.

AMI provides the leading secure IT retirement solution to the largest IT user organisations on the island of Ireland. We provide our customers with a service driven, user friendly, revenue generating solution to the complex challenge of ICT asset disposal. We minimize the risk of harmful data leaks by using the most technologically advanced equipment and processes. We are ranked among the top seven companies in the world for secure data sanitization by ADISA, the world’s leading IT disposal standards body.

Email Newsletter

Are you ready for the new EU Data Protection rules? Simply subscribe to receive our free FREE GDPR guide.


Contact Us

info@amiltd.ie

Contact our sales team directly:
+44 (0) 28 9084 7913

Asset Management Ireland Ltd
Unit 1 Mallusk View
Central Park
Newtownabbey BT36 4FR
Northern Ireland
Tel +44 (0) 28 9084 4400
Fax +44 (0) 28 9084 2312

Asset Management Ireland Ltd
Unit 66 Block 503
Greenogue Business Park
Rathcoole
Dublin D24 F300
Ireland
Tel +353 (0) 1257 3232