14 DAY TRIAL // A number of 232 hard drives containing confidential information on Brighton General Hospital patients were stolen from a locked storage facility, where they were being decommissioned, and put up for sale on eBay.
The Brighton and Sussex University Hospitals NHS Trust appointed the Sussex Health Informatics Service to dispose of 1,000 hard drives on their behalf. The latter hired an individual to carry out the job, but it seems he did a little more than he was supposed to, The Argus reports.
The incident was discovered in December, 2010, when a data recovery company purchased four units on eBay and alerted the trust. It was later revealed that in reality more than 200 hard drives were missing from the storage facility.
After a joint collaboration between the Information Commissioner’s Office (ICO), the NHS Counter Fraud and Sussex Police all the stolen drives were recovered and a 36-year-old man from Seaford was arrested and bailed several times before the Crown Prosecution Service decided to take no further action.
While the trust claims that the risk for the data to end up in the wrong hands is very low, the ICO accuses them of failing to take the appropriate measures to prevent such incidents. The organization faces a £375,000 ($577,000 or 450,000 EUR) fine for breaching the Data Protection act.
“[This was] likely to cause substantial distress to data subjects whose personal and highly sensitive personal data has been taken by an individual who had not right to see that information,” the ICO reports.
However, the trust’s chief exec Duncan Selbie believes that this was a crime and they shouldn’t be held responsible, especially since they cooperated with the authorities throughout the investigation.
The trust has until January 23 to respond and contest the notice of intent to fine served by the ICO.