Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Hospital fined £200,000 after hard drive full of patient data bought on eBay

NHS Surrey failed to oversee destruction

Article comments

The ICO has hit NHS Surrey with a £200,000 ($300,000) fine after a “shocking” lapse allowed a member of the public to buy a hard drive containing the records of 3,000 patients that had supposedly been sent for secure destruction.

The issue came to light when the individual contacted the former NHS Trust in May 2012 after using recovery software to reveal the records of 2,000 children and 900 adults on a second-hand drive inside a PC reportedly bought on eBay.

This turned out to be part of a larger consignment of PCs handed over to a third-party company on the proviso that the hard drives and their data were destroyed. Ten further drives inside PCs that had belonged to NHS Surrey were discovered to have been sold on in this way despite certificates showing their claimed disposal; a further three contained confidential data.

The ICO's published rebuke reveals a catalogue of failures, starting with poor oversight of the company asked to dispose of the drives. Assurances that the drives would be physically destroyed were taken at face value as were the subsequent destruction certificates.

No members of the IT team observed the destruction or took time to carry out a risk assessment of the firm's processes or reliability. More surprising, the contractor was engaged to carry out disposal despite NHS Surrey already using a separate supplier for the same task.

The ICO's judgement does not speculate on the reasons behind NHS Surrey's decision to use a new and unproven firm for disposal; the contractor did not charge NHS Surrey for the service on the basis that the PCs were supplied free of charge, the ICO noted.

Uncomfortably, between February 2011 and May 2012, the contractor picked up 1,570 PCs containing hard drives marked for disposal, the fate of some of which was now open to doubt, the ICO said.

“The facts of this breach are truly shocking. NHS Surrey chose to leave an approved provider and handed over thousands of patients’ details to a company without checking that the information had been securely deleted,” said the ICO's head of enforcement,  Stephen Eckersley,

“The result was that patients’ information was effectively being sold online. This breach is one of the most serious the ICO has witnessed and the penalty reflects the disturbing circumstances of the case,” he said.

“We should not have to tell organisations to think twice, before outsourcing vital services to companies who offer to work for free.”

The theme of storage media turning up in the public domain containing private data is far from new. In 2012 the ICO published the results of its own survey that found that one in ten hard second-hand drives turned out to contain personal data.



More from Techworld

More relevant IT news


lhlrew said: Taxpayers should not have to pay for the mistakes of NHS officials to properly manage their business activities These types of fines should be paid by the officials themselves out of their own pocket This would stop all the shoddy behaviour we taxpayers have to put up with from government employees who are happy to take the money but show no responsibility for their actions This also applies to Bankers whom have squandered our savings and Politicians whom have been spending more than they receive from the taxes paid

uksnapper said: Soour NHS money is clawed back by government to be redistributedI presume outside the NHSWhat a stupidstupid system where a government body fines a government body whilst continuing to pay and fund pensions and golden hand shakes for those responsible

Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *