Over 3,000 patient records were found on a second-hand NHS computer that was auctioned on eBay. NHS Surrey failed to check that the data destruction company had properly disposed of the records.
In a data breach quoted as one of the most serious they’ve ever seen, NHS Surrey has been fined £200,000 by the Information Commissioner’s Office. “The facts of this breach are truly shocking,” ICO head of enforcement Stephen Eckersley said in a statement.
“NHS Surrey chose to leave an approved provider and handed over thousands of patients’ details to a company without checking that the information had been securely deleted. The result was that patients’ information was effectively being sold online.”
NHS Surrey was alerted to the data loss by a member of the public who had purchased an old NHS computer and found patient records.
The data destruction company had offered free disposal of the computers in exchange for the sale of salvageable materials. The company promised to crush the computer hard disks using an industrial guillotine, but NHS Surrey failed to monitor the destruction process, the ICO ruled, and did not have a contract in place that explained the legal requirements of the data destruction.
DiskShred’s Philip McMichael commented that government departments must put in place contracts with reputable, accredited organisations to ensure that data destruction is completed in line with UK government standards and to comply with the Data Protection Act. The ICO has produced guidance explaining how old IT equipment containing personal information can be securely destroyed in compliance with the Act.