Patient records found on drive sold on eBay

A hard drive of a trust computer containing patient data was sold using auction website eBay, with data improperly wiped. 

The trust has now launched an investigation into how the computer part was made available online. It is feared the hard disk may have been stolen from one of the trust’s hospitals. 

The drive belonged to the Dudley Group of Hospitals NHS Trust, which has a Private Finance Initiative deal with Siemens Medical Solutions to wipe data and dispose trust computers safely. Siemens subcontracts the disposal of obsolete equipment to Computer Disposals. 

However, unbeknown to the trust, Siemens and its contractor, the hard drive had not been completely wiped and was put on sale on auction website eBay.

A Siemens spokesperson said the computer from which the hard disk was taken was not part of the PFI contract with the trust, but the company is working alongside Dudley to ensure that procedures are in place to prevent this from happening again. 

The hardware was purchased from the website by BT, as part of a sponsored research project with the University of Glamorgan. Researchers from BT and the university were able to reuse the hard drive and access confidential details of cancer patients. 

The trust said in a statement: “There is an ongoing investigation into this incident involving very senior people and we are looking at possible loopholes in the system. There is no record of this machine going through the systems that Siemens has in place for disposing of equipment. We cannot have something like this happening again.” 

A new set of recommendations has been launched by the trust and Siemens to prevent data being left on disposed drives, and the trust and Siemens have changed the contract to include the use of a degausser to wipe hard drives using electromagnetic frequencies.

Trust chief executive Paul Farenden said: “All hard drives that leave the trust via this route are subjected to data wiping which meets the UK government’s standard of being over-written three times.”

Dr Andy Jones, head of security technology research at BT’s Security Research Centre, said: “What’s clear is that despite the publicity, nothing much has changed. All organisations lose equipment, but if they contain sensitive data they should look to using something like encryption to make sure it’s better protected.”

Of the 133 disks the researchers obtained in the UK, which were all analysed using techniques which would be accessible to anyone, only 75 were working but the Glamorgan team found data on 62% of those – including company records, personal information, financial data and paedophile material which has resulted in a police investigation in Wales.

Dr Andrew Blyth, principal lecturer at Glamorgan’s School of Computing, said: “We are still in a situation where over 50% of the disks contain sensitive corporate and personal data and a significant amount contained names, CVs, addresses and phone numbers. With some, the information was so detailed that they could have had their identities stolen.”