Feeds

NHS fined £375k after stolen patient data flogged on eBay

Hospital bosses appeal against ICO's stiffest punishment yet

Choosing a cloud hosting partner with confidence

The Information Commissioner is proposing to issue its heaviest ever fine for a breach of UK data protection laws. It proposes fining a health body after patient records were stolen from a hospital and sold on eBay.

Brighton and Sussex University Hospitals NHS Trust told Out-Law.com that hard drives containing patient data had been sold on the auction website by a contractor it employed to destroy them. A spokesperson for the Information Commissioner's Office (ICO) said the watchdog had proposed fining the Trust £375,000 over the incident. The Trust has challenged the suggested penalty. "We were the victims of a crime," Duncan Selbie, chief executive of Brighton and Sussex University Hospitals NHS Trust said in a statement. "We subcontracted the destruction of these hard drives to a registered contractor who subsequently sold them on eBay."

"As soon as we were alerted to this we informed the police and with their help we recovered all the hard drives stolen by this individual," he said. "We are confident that there is a very low risk of any of the data from them having passed into the public domain. We have subsequently received a Notice from the Information Commissioner’s Office proposing a fine of £375,000 which we are, in the circumstances, challenging."

Under the Data Protection Act (DPA) organisations must take "appropriate technical and organisational measures ... against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data". The law requires organisations to be extra protective over sensitive personal data, such as patient medical records. In a statement the ICO said it is "currently making inquiries into a possible breach of the Data Protection Act and is unable to speculate on what action will be taken at this time."

The data was lost from Brighton General Hospital in September 2010, according to a report by the BBC.

Under the DPA the ICO has the power to issue penalties of up to £500,000 for serious data breaches. The ICO can issue notices indicating to organisations responsible for the data what punishment, if any, it considers appropriate for the breach but can decide to alter or withdraw the proposed penalty in a final determination if representations made by those organisations persuade it to do so.

The biggest fine the ICO has ever issued is £130,000. The watchdog fined Powys County Council the money after pages from a child protection report were wrongly included as part of a separate document sent to a member of the public.

The ICO recently published an information rights strategy in which it detailed its intention to give "particular regulatory attention" to health organisations as part of prioritisation of its enforcement action.

Copyright © 2012, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Security for virtualized datacentres

More from The Register

next story
Ex-US Navy fighter pilot MIT prof: Drones beat humans - I should know
'Missy' Cummings on UAVs, smartcars and dying from boredom
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
The 'fun-nification' of computer education – good idea?
Compulsory code schools, luvvies love it, but what about Maths and Physics?
Doctor Who's Flatline: Cool monsters, yes, but utterly limp subplots
We know what the Doctor does, stop going on about it already
'Cowardly, venomous trolls' threatened with TWO-YEAR sentences for menacing posts
UK government: 'Taking a stand against a baying cyber-mob'
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
Sysadmin with EBOLA? Gartner's issued advice to debug your biz
Start hoarding cleaning supplies, analyst firm says, and assume your team will scatter
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.