Health Trust Fined £175k After Website Gaffe

Tom Brewster is TechWeek Europe’s Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Torbay Care Trust says it is disappointed by the fine, but it will pay up

Torbay Care Trust in Torquay has been fined £175,000 after it accidentally published details relating to over 1000 members of staff on its website.

A spreadsheet was placed on the Trust’s website in April 2011, but it took 19 weeks for anyone to notice. The exposed data included equality and diversity responses of 1,373 employees and included individuals’ names, dates of birth and National Insurance numbers. Information on their religion and sexuality was also revealed.

Stephen Eckersley, head of enforcement at the Information Commissioner’s Office (ICO) said the breach was “entirely avoidable”.

“Not only were they giving sensitive information out about their employees but they were also leaving them exposed to the threat of identity fraud,” he added. “While organisations can publish equality and diversity information about staff in an aggregated form, there is no justification for unnecessarily releasing their personal information.”

© Monika Wisniewska - Fotolia.comTrust ‘disappointed’

The health trust said it was “disappointed” by the fine, but accepted it, confirming it would be taking advantage of the early payments discount offered by the ICO. That will reduce the penalty to £140,000.

“Provision was made to potentially pay such a fine, so there is no affect on budgets for staff, or health and social care services,” said Anthony Farnsworth, who was chief executive of Torbay Care Trust at the time of the breach.

“It is important to clarify that this information did not contain any clinical or patient data. Neither have we received any evidence to suggest the information has been used inappropriately.

“The Care Trust has always had extremely hard working and dedicated staff, so it is of particular regret that in this instance we failed in our responsibilities to them. I would like to apologise, again, to these individuals for any concern that has been caused.”

The body has implemented a new web management policy to make sure personal data is not mistakenly published on their website again.

Other NHS bodies have not been so accepting of ICO-enforced fines. When Brighton and Sussex University Hospitals NHS Trust was set to be hit with a £375,000 penalty, after hard drives containing patient data were handed over to a registered contractor for destruction only to end up for sale on eBay, it decided to appeal.

In June, when the fine was cut to £325,000, the Trust said its representations to the ICO were ignored, even after  a freedom of information request was sent to the watchdog, which was refused on the basis that it would “prejudice the monetary penalty process”. The appeal is yet to be heard.

Are you a security guru? Test yourself with our quiz!