UK Health Service Breaches Data Act When Hard Drives Stolen

The United Kingdom (UK) Information Commissioner’s Office (ICO) has announced that the Brighton and Sussex University Hospitals National Health Service Trust (the Trust) has received a penalty notice for breaching the Data Protection Act. The breach occurred when an individual employed by the IT Service provider for the Trust sold hard drives containing personal information after being given the responsibility of destroying them. The hard drives contained “highly sensitive personal data belonging to tens of thousands of patients and staff”, including “details of patients’ medical conditions and treatment, disability living allowance forms and children’s reports” as well as “staff details”. ICO deputy commissioner and data protection director David Smith stated that the amount of the penalty imposed “reflects the gravity and scale of the data breach”, adding that in this case “the Trust failed significantly in its duty to its patients, and also to its staff”. The Trust has committed to “providing a secure central store for hard drives and other media, reviewing the process for vetting potential IT suppliers, obtaining the services of a fully accredited ISO 27001 IT waste disposal company, and making progress towards central network access”.

ICO’s media release (1 June 2012)
(Source: ICO)