NHS Trust Outraged By ICO £325,000 Data Breach Fine

Tom Brewster is TechWeek Europe’s Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

NHS Trust says its appeals were ignored by the ICO, as it expresses dismay at the record data breach fine

The Information Commissioner’s Office (ICO) has issued its biggest ever fine, slapping the Brighton and Sussex University Hospitals NHS Trust with a £325,000 penalty, but the Trust has expressed its dismay at the actions of the data protection authority.

The case has been rumbling on since January, when it emerged that the NHS Trust was facing a huge fine after hard drives containing a massive amount of sensitive personal data were sold on eBay in 2010.

Data on the hard drives included information relating to HIV patients and criminal convictions, as well as staff details including National Insurance numbers, home addresses and ward and hospital IDs.

At loggerheads…

The ICO and the Trust, which is now appealing to the Information Tribunal, have very different opinions on the nature of the data breach.

Brighton and Sussex University Hospitals NHS Trust said it had employed an “experienced NHS IT service provider” – Sussex Health Informatics Service (HIS) – to dispose of a number of redundant hard drives. The sub-contractor employed by the service provider was swiftly told to recover the drives after they had been put on sale on eBay, meaning no data actually entered the public domain, claimed chief executive of Brighton and Sussex University Hospitals, Duncan Selbie.

Meanwhile, the ICO said a university contacted the watchdog in April 2011 to inform that one of its students had purchased hard drives containing data belonging to the Trust. The Trust was not able to explain how the individual tasked with destroying the hard drives was able to take at least 252 of the approximate 1000 away from the room in which they were stored, the ICO said.

“They [the individual] are not believed to have known the key code needed to access the room where the drives were stored, and were usually supervised by staff working for HIS. However, the Trust has acknowledged that the individual would have left the building for breaks, and that the hospital is publicly accessible,” the ICO said in a statement.

“The Trust failed significantly in its duty to its patients, and also to its staff,” added the ICO’s deputy commissioner David Smith.

Brighton and Sussex University Hospitals NHS Trust said it could not afford to pay the fine, claiming it could not understand why it had been hit by such a substantial monetary penalty, nor why the information commissioner ignored its appeals.

“The Information Commissioner has ignored our extensive representations,” Selbie added. “It is a matter of frank surprise that we still do not know why they have imposed such an extraordinary fine despite repeated attempts to find out, including a freedom of information request which they interestingly refused on the basis that it would ‘prejudice the monetary penalty process’.

“We dispute the information commissioner’s findings, especially that we were reckless, a requirement for any fine.”

Back in January, the proposed fine was set even higher, at £375,000. The £325,000 is still a record for an ICO data breach fine, far surpassing the £140,000 that Midlothian Council was hit with in January.

The ICO has started cracking down on NHS carelessness, issuing the body with its first fine in April.

Are you a security guru? Test yourself with our quiz!