Brighton pays data breach fine

  • 26 November 2012
Brighton pays data breach fine
Brighton and Sussex University Hospitals NHS Trust declared a major incident after trouble with its IT system

Brighton and Sussex University Hospitals NHS Trust has paid a fine of £260,000 after a contractor sold hard drives containing patient information on eBay.

In June this year, the Information Commissioner’s Office issued the trust with a record-high fine of £325,000 for breaching the Data Protection Act.

The trust told eHealth Insider at the time that it “simply cannot afford to pay” and it would appeal to the Information Tribunal.

However, the trust’s annual report for 2011-12 says a reduced fine of £260,000 has been paid. Fines are reduced by 20% if paid within a certain time frame.

The report says the trust made “extensive written and oral representations on the notice of intent” issued in May, but paid the fine in June.

The breach occurred after a contractor that the trust paid to destroy hundreds of hard drives, containing sensitive patient information, instead sold them on eBay.

The annual report says that the hard drives were sold by a person whose company had been engaged by the Sussex Health Informatics Service to destroy them.

“All of the drives were recovered or otherwise accounted for and [the trust] remains confident that no patient identifiable data entered the public domain.

"[Brighton and Sussex’s] membership of the Sussex HIS concluded at the end of the 2011-12 financial year,” it adds.

“As part of bringing ownership of IT services back in-house, which took place on 1 April 2012, [the trust] has taken appropriate steps to strengthen the processes relating to the disposal of redundant hard drives.

"[This includes] a stringent due diligence process for the engagement of contractors in the wiping and disposal of redundant hard drives.

“Through the internal auditors, the audit committee will be ensuring that the trust’s information governance arrangements are subject to a rigorous process of continuous improvement and that appropriate training continues to be provided to staff in addition to that which is given during the induction process.”

Subscribe to our newsletter

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Sign up

Related News

Advanced fined £6m over stolen patient data in 2022 cyber attack

Advanced fined £6m over stolen patient data in 2022 cyber attack

The Information Commissioner’s Office has imposed a £6.09m fine on Advanced for failing to protect personal information during a cyber attack.
ICO guidance on transparency published for health and care sector

ICO guidance on transparency published for health and care sector

New guidance has been issued by ICO over how health and care organisations should be transparent over the use of personal information.
ICO reprimands NHS Lanarkshire for sharing patient data via WhatsApp

ICO reprimands NHS Lanarkshire for sharing patient data via WhatsApp

The Information Commissioner’s Office (ICO) has issued a reprimand to NHS Lanarkshire following the use of WhatsApp by staff to share patient data.