Friday, 12 July 2013

NHS Surrey hit by £200,000 fine after patient data found on computers sold at auction

NHS doctor using a computer
NHS Surrey has been hit with a £200,000 fine by the Information Commissioner’s Office (ICO) after 3,000 patient records were found on a computer sold at auction, in one of the worst cases of data handling in the health sector seen to date.
The computer was being sold by a ‘data destruction’ company that the Trust had given the device to for wiping and selling. However, when it was bought by a member of public the data was still on the device.

The data related to confidential sensitive personal data and HR records, including patient records relating to approximately 900 adults and 2,000 children.

Once the issue came to light NHS Surrey worked to reclaim 39 other computers sold by the data destruction provider, which worked free on the basis it could keep components to resell once the devices were wiped. Ten computers were recovered, three of which were found to contain sensitive data. 

After investigating the incident the ICO said it found numerous issues with the Trust’s data-handling processes. It had no contract in place with the data destruction company that explained its requirements under law and it failed to monitor or observe the data destruction process. The Trust also mislaid records on the devices that had been sent for wiping and could not confirm how many computers had been sent for processing.

Stephen Eckersley, ICO head of enforcement, said the breach was “truly shocking” and that those processing sensitive data should know better.

“NHS Surrey chose to leave an approved provider and handed over thousands of patients’ details to a company without checking that the information had been securely deleted. The result was that patients’ information was effectively being sold online,” he said.

“This breach is one of the most serious the ICO has witnessed and the penalty reflects the disturbing circumstances of the case. We should not have to tell organisations to think twice before outsourcing vital services to companies who offer to work for free.”

The Department of Health (DoH) confirmed the fine had been received and was exploring its options.
“We take the loss of personal data very seriously. At the time NHS Surrey contacted patients involved to make them aware of the data breach. This case is currently the subject of legal proceedings.”
In June a basic fax blunder cost Staffordshire NHS Trust £55,000 while the record fine from the ICO – of £325,000 – was handed to NHS Brighton last year.

No comments:

Post a Comment