The penalty levied by the Information Commissioner’s Office (ICO) – which the trust is to appeal – follows the discovery of highly sensitive personal data belonging to tens of thousands of patients and staff on hard drives sold on an Internet auction site in October and November 2010.
The data included details of patients’ medical conditions and treatment, disability living allowance forms and children’s reports. It also included documents containing staff details including National Insurance numbers, home addresses, ward and hospital IDs, and information referring to criminal convictions and suspected offences.
According to the ICO, the data breach occurred when an individual engaged by the Trust’s IT service provider, Sussex Health Informatics Service (HIS), was tasked to destroy approximately 1000 hard drives held in a room accessed by key code at Brighton General Hospital in September and October 2010. A data recovery company bought four hard drives from a seller on an Internet auction site in December 2010, who had purchased them from the individual.
In its press statement, the ICO said:
“The trust has been unable to explain how the individual removed at least 252 of the approximate 1000 hard drives they were supposed to destroy from the hospital during their five days on site. They are not believed to have known the key code needed to access the room where the drives were stored, and were usually supervised by staff working for HIS. However, the trust has acknowledged that the individual would have left the building for breaks, and that the hospital is publicly accessible.
Trust to appeal
But in response to the news of the penalty, chief executive of Brighton and Sussex University Hospitals, Duncan Selbie, said:
“We dispute the Information Commissioner’s findings, especially that we were reckless, a requirement for any fine. We arranged for an experienced NHS IT service provider to safely dispose of our redundant hard drives and acted swiftly to recover, without exception, those that their sub-contractor placed on eBay. No sensitive data has therefore entered the public domain.
“The Information Commissioner has ignored our extensive representations. It is a matter of frank surprise that we still do not know why they have imposed such an extraordinary fine despite repeated attempts to find out, including a freedom of information request which they interestingly refused on the basis that it would “prejudice the monetary penalty process.
“In a time of austerity, we have to ensure more than ever that we deliver the best and safest care to our patients with the money that we have available. We simply cannot afford to pay a GB pound 325,000 fine and are therefore appealing to the Information Tribunal.”