06.06.12
NHS trust ‘cannot afford’ record data breach fine
The NHS trust fined £325,000 by the Information Commissioner’s Office for a data breach that allowed sensitive information about tens of thousands of patients to be sold on eBay is contesting the penalty.
Brighton and Sussex University Hospitals NHS Trust said it disputed the ICO’s findings, especially the charge they acted recklessly. Its chief executive, Duncan Selbie, said: “We simply cannot afford to pay a £325,000 fine and are therefore appealing to the Information Tribunal.”
The record fine relates to an incident in 2010 when Sussex Health Informatics Service, the trust’s IT provider, sub-contracted the destruction of data on around 1,000 hard drives held in a locked key-coded room at Brighton General Hospital.
The sub-contractor did not wipe the drives, and took 252 out of the hospital, with 232 of them ending up online and sold. He was arrested but not charged, according to the trust.
The data included sensitive sexual health information, and personal identifiers like dates of birth and occupations.
The trust said no information actually got into the public domain, but the ICO said it could not explain how the hard drives were removed from the premises, as he did not know the code for the door and was supervised on site.
The ICO’s deputy commissioner and director of data protection, David Smith, said: “The amount issued in this case reflects the gravity and scale of the data breach. It sets an example for all organisations – both public and private – of the importance of keeping personal information secure.”
Tell us what you think – have your say below, or email us directly at [email protected]