NHS Fined £200k After Computers Containing Patient Data Sold On eBay

Oops Sorry Fail - Shutterstock - © Gunnar Pippel

One of the worst data breaches the ICO has ever seen leads to hefty fine for the NHS

An NHS body has been told to pay £200,000 after over 3,000 patient records, including 2000 related to children, were found on a second-hand machine sold on an online auction site. TechWeekEurope understands that auction site is eBay.

The Information Commissioner’s Office (ICO) said it was one of the most serious data breaches it had ever seen, as a contractor for NHS Surrey failed to completely wipe and destroy 1570 hard drives containing the highly sensitive data.

The unnamed contractor said it would carry out the service for free, as long as it could sell any salvageable parts once the hard drives had been destroyed.

NHS - Shutterstock: © RTimagesAnother NHS data breach

Yet a member of public contacted NHS Surrey in May 2012, saying they had bought a computer online and found it contained patient information, including records relating to around 900 adults and 2000 children.

NHS Surrey then had to scurry around, finding another 39 computers sold by the data destruction provider, three of which still contained sensitive personal data.

The NHS body didn’t sign a contract with the provider and failed to determine whether the hard drives have been wiped, the ICO said.

The majority of the hard drives put up for sale on the internet have not been recovered, meaning a lot of sensitive data remains online.

As NHS Surrey was dissolved in March, the NHS Commissioning Board will have to pay the fine. An ICO spokesperson said it had not received any appeal notice, whilst the NHS Commissioning Board had no comment at the time of publication.

“The facts of this breach are truly shocking,” said Stephen Eckersley, ICO head of enforcement. “This breach is one of the most serious the ICO has witnessed and the penalty reflects the disturbing circumstances of the case.

“We should not have to tell organisations to think twice, before outsourcing vital services to companies who offer to work for free.”

Security expert Neira Jones warned of the potential fallout related to those machines that have note been recovered.

“If they end up in the hands of criminals and the data is accessed (and it includes information on adults and children), who knows what it can lead to, and the very least would be ID theft,” Jones told TechWeekEurope.

She said the latest fine was justified, but the contractor should still have been more responsible.

“Should they [the contractor] be accountable? Definitely not, because NHS Surrey have been entrusted with the welfare of their patients. Should the contractor be responsible? Absolutely, yes,” Jones added.

“They have not deployed processes that enables them to treat media in a way that will not compromise the privacy of individuals, despite assurances to their clients that they would do so.”

A Department of Health spokesperson added: “We take the loss of personal data very seriously. At the time NHS Surrey contacted patients involved to make them aware of the data breach.

“This case is currently the subject of legal proceedings.”

The highest fine yet handed out for a data breach in the UK was one handed to the Brighton and Sussex University Hospitals NHS Trust in 2012, after a similar case.

It was found sensitive personal data, including information on HIV patients and criminal convictions, was left on hard drives that were supposed to have been destroyed by a contractor but appeared on eBay.

The NHS has consistently been cited as one of the worst institutions for data loss, with numerous trusts caught out. Yet some have questioned whether such heavy fines should be levelled against such an organisation, when private firms like Google avoid fines for much-publicised breaches of the law, as in the case of the illegal Street View Wi-Fi data slurping.

Are you a privacy buff? Try our quiz!