The Information Commissioner’s Office (ICO) today says that Brighton and Sussex University Hospitals NHS Trust has been served with a Civil Monetary Penalty (CMP) of £325,000 ($498k) following a serious breach of the Data Protection Act (DPA).

The fine is the highest issued by the ICO since it was granted the power to issue CMPs in April 2010.

The fine is the result of sensitive data belonging to tens of thousands of patients and staff found on hard drives sold on an Internet auction site in October and November 2010. Some of the data related to HIV and genito urinary medicine (GUM) patients.

Details about patient’s medical conditions, treatment, disability allowance forms and children’s reports were found and the hard drives also held documents containing staff details such as National Insurance numbers, home addresses, ward and hospital IDs and information referring to criminal convictions and suspected offences.

According to the ICO, the data breach occurred when an individual engaged by the Trust’s IT service provider, Sussex Health Informatics Service (HIS), was tasked to destroy approximately 1000 hard drives held in a room accessed by key code at Brighton General Hospital in September and October 2010.

A data recovery company bought four hard drives from a seller on an Internet auction site in December 2010, who had purchased them from the individual who has not been named.

Hard drive bought by student

The reason for the high level of the fine is likely to be related to the ICO being assured that only four hard drives were affected, but the Office says, “A a university contacted us in April 2011 to advise that one of their students had purchased hard drives via an Internet auction site. An examination of the drives established that they contained data which belonged to the Trust.”

The Trust is lucky that the instance was reported rather than released online for everyone to comb through the finer details of GUM patients and staff records.

The case holds a certain element of mystery too. It seems as the Trust has been unable to explain how at least 252 of the approximate 1000 hard drives that were meant to be destroyed were taken from the hospital. The individual concerned is not believed to have known the key code required to access the room where the drives were stored and they were usually supervised by staff working for the HIS.

The ICO’s Deputy Commissioner and Director of Data Protection David Smith said:

“The amount of the CMP issued in this case reflects the gravity and scale of the data breach. It sets an example for all organisations – both public and private – of the importance of keeping personal information secure. That said, patients of the NHS in particular rely on the service to keep their sensitive personal details secure. In this case, the Trust failed significantly in its duty to its patients, and also to its staff.”

The Trust has now committed to providing a secure central store for hard drives and other media, reviewing the process for vetting potential IT suppliers, obtaining the services of a fully accredited ISO 27001 IT waste disposal company, and making progress towards central network access.

That’s a lot of work to do on top of a hefty fine. With constant headlines in the UK about NHS funding and staff pay issues, it sounds as though any NHS Trust can ill afford to pay fines on this scale following data security mistakes.