HIV records from NHS trust accidentally sold on the web -

The Information Commissioner's Office has come down hard on the Brighton and Sussex University Hospitals NHS Trust.

The watchdog has slapped the trust with a Civil Monetary Penalty (CMP) of £325,000 following a serious breach of the Data Protection Act (DPA).

And security experts have said they are not surprised at the fine, which is the highest the ICO has issued since it was granted the power to issue CMPs in April 2010.

It follows the discovery of highly sensitive personal data belonging to tens of thousands of patients and staff, which was found on hard drives sold on an internet auction site in October and November 2010.

The ICO said some of the information was also related to HIV and Genito Urinary Medicine (GUM) patients as well as details of patients’ medical conditions and treatment, disability living allowance forms and children’s reports. It also included documents containing staff details such as National Insurance numbers, home addresses, ward and hospital IDs, as well as information referring to criminal convictions and suspected offences.

According to the ICO the data breach occurred when an individual was given the task of destroying the 1,000 hard drives held in a room accessed by key code at Brighton General Hospital in September and October 2010.

However, a data recovery company bought four hard drives from a seller on an internet auction site in December 2010, who had purchased them from the individual.

The ICO at the time was appeased with claims that these were the only four rogue disks. However, in April 2011 it was contacted by staff at a university, which advised them that one of their students had purchased hard drives via an internet auction site. An examination of the drives established that they contained data which belonged to the Trust.

The ICO said the trust had been unable to explain how the individual removed at least 252 of the approximate 1,000 hard drives they were supposed to destroy from the hospital during their five days on site.

It said they were not believed to have known the key code needed to access the room where the drives were stored, and were usually supervised by staff working for HIS. However, the Trust has acknowledged that the individual would have left the building for breaks, and that the hospital was publicly accessible.

Security and communications expert Chris McIntosh, CEO of ViaSat UK, told TechEye that the fine wasn't a surprise.

"While previously focused against local government, the ICO’s penalty powers have come more and more to bear on the NHS in recent months," McIntosh said.  "This isn’t too surprising: as one of the largest handlers of personal data in the UK, and given the sensitivity of much of that data, the NHS has had many more opportunities for such a catastrophic breach to occur."

"At the same time," McIntosh said, "a recent FOI request showed that the NHS was the most reported organisation in terms of lost data and hardware at 40 out of 108 cases nationwide in 2011 / 2012 and, more damningly, insecure disposal of data, responsible for more than twice as many cases as the entire private sector." 

"With these statistics, a penalty of this magnitude was inevitable," McIntosh continued. "Organisations need to learn from this and all of the ICO’s penalties: data must be encrypted and correctly destroyed, hardware must be kept under lock and key and contractors must be thoroughly vetted to ensure that standards are met."

Last month the ICO issued a London Community Healthcare trust with a fine of £90,000 after it found it in serious breach of the Data Protection Act.