NHS Fined £200k After Computers Containing Patient Data Sold On eBay

Oops Sorry Fail - Shutterstock - © Gunnar Pippel
0 0 6 Comments

One of the worst data breaches the ICO has ever seen leads to hefty fine for the NHS

An NHS body has been told to pay £200,000 after over 3,000 patient records, including 2000 related to children, were found on a second-hand machine sold on an online auction site. TechWeekEurope understands that auction site is eBay.

The Information Commissioner’s Office (ICO) said it was one of the most serious data breaches it had ever seen, as a contractor for NHS Surrey failed to completely wipe and destroy 1570 hard drives containing the highly sensitive data.

The unnamed contractor said it would carry out the service for free, as long as it could sell any salvageable parts once the hard drives had been destroyed.

NHS - Shutterstock: © RTimagesAnother NHS data breach

Yet a member of public contacted NHS Surrey in May 2012, saying they had bought a computer online and found it contained patient information, including records relating to around 900 adults and 2000 children.

NHS Surrey then had to scurry around, finding another 39 computers sold by the data destruction provider, three of which still contained sensitive personal data.

The NHS body didn’t sign a contract with the provider and failed to determine whether the hard drives have been wiped, the ICO said.

The majority of the hard drives put up for sale on the internet have not been recovered, meaning a lot of sensitive data remains online.

As NHS Surrey was dissolved in March, the NHS Commissioning Board will have to pay the fine. An ICO spokesperson said it had not received any appeal notice, whilst the NHS Commissioning Board had no comment at the time of publication.

“The facts of this breach are truly shocking,” said Stephen Eckersley, ICO head of enforcement. “This breach is one of the most serious the ICO has witnessed and the penalty reflects the disturbing circumstances of the case.

“We should not have to tell organisations to think twice, before outsourcing vital services to companies who offer to work for free.”

Security expert Neira Jones warned of the potential fallout related to those machines that have note been recovered.

“If they end up in the hands of criminals and the data is accessed (and it includes information on adults and children), who knows what it can lead to, and the very least would be ID theft,” Jones told TechWeekEurope.

She said the latest fine was justified, but the contractor should still have been more responsible.

“Should they [the contractor] be accountable? Definitely not, because NHS Surrey have been entrusted with the welfare of their patients. Should the contractor be responsible? Absolutely, yes,” Jones added.

“They have not deployed processes that enables them to treat media in a way that will not compromise the privacy of individuals, despite assurances to their clients that they would do so.”

A Department of Health spokesperson added: “We take the loss of personal data very seriously. At the time NHS Surrey contacted patients involved to make them aware of the data breach.

“This case is currently the subject of legal proceedings.”

The highest fine yet handed out for a data breach in the UK was one handed to the Brighton and Sussex University Hospitals NHS Trust in 2012, after a similar case.

It was found sensitive personal data, including information on HIV patients and criminal convictions, was left on hard drives that were supposed to have been destroyed by a contractor but appeared on eBay.

The NHS has consistently been cited as one of the worst institutions for data loss, with numerous trusts caught out. Yet some have questioned whether such heavy fines should be levelled against such an organisation, when private firms like Google avoid fines for much-publicised breaches of the law, as in the case of the illegal Street View Wi-Fi data slurping.

Are you a privacy buff? Try our quiz!

  1. When will the ICO get it into its head that fining a body like the NHS is just wrong and pointless, you are fining the people who are the victims – the patients/Tax payers who are effectively paying the fines.

    The fine needs to be imposed on those responsible, managers, employees or the contractor who allowed the breach to occur.

  2. Fine need not to be imposed on Managers and Employees who made this breach.

    It should be Imposed on the Organisation for being careless in their private polices later its up to the organisation how it deals with responsible officials

  3. So why is the piece of &*#$%$! contractor’s name hidden? Don’t we have the right to be protected from these kinds of crooks? How do I know, if I need to hire similar services for my organisation, that I am not hiring these crooks?

  4. Disgusting. I work for a University and I know two things for certain about our environment (and I know these policies are standard for other public sector organizations I speak to):
    1) We may not sell off equipment. All retired equipment must ALL be sent off to be securely wiped if it’s to leave the organization. Even when we used to offer old equipment to staff to take home it had to come via the I.T Department to be securely destroyed.

    Knowing this I fear whoever was auctioning off the Equipment was never allowed to do so and it’s the actions of an individual that’s hit the NHS – an already underfunded public service. Wonderful.

  5. Look, don’t get upset, how is profit meant to be made off of people’s illnesses if stuff like this cannot happen? What profit is made off people’s sickness and discomfort will be blown away by regulation costs if things like “privacy” are enforced.

    Bring on the privatisation of the NHS! Lets get regulation cut, it just interferes with the profits.

    The great thing too is that given the rate of addiction in the UK there is a fair chance the adults in these leaks have addictions. But society doesn’t look at addicition as the illness that it is, it views addiction as a moral failing (just think of the rhetoric that underpins crack-head or smack-head, or wine-o). These patient records have been leaked and people in difficult psychological situations stand to be persecuted….. that will drive them to buy more cigs and booze (good for my share portfolio) and consume more illegal drugs (good for my share portfolio of privatised security and pro-prohition entities).

    So I don’t want to see accountability here, and getting rid of regulation will make things much simpler.

    Vote Tory! Looking back (conservatism) is the way forward.

  6. I dont get it, i fail to see the logic… the NHS has been receiving cuts by the government, and then the NHS gets fined because of this ? wtf fining is extortion…