Sale of Drive on eBay Leads to FineDrive Slated for Destruction Contained Patient Data
The UK's Information Commissioner's Office has issued a Â£200,000 ($300,000 U.S.) fine after a computer with a hard drive containing data on nearly 3,000 patients was sold on eBay.
"This breach is one of the most serious the ICO has witnessed, and the penalty reflects the disturbing circumstances of the case," says Stephen Eckersley, the ICO's head of enforcement.
The incident involved the now defunct NHS Surrey, a regional provider of primary care and other health services in the U.K.'s National Health Service. NHS Surrey was dissolved on March 31, 2013, with some of its legal responsibilities passing to the NHS Commissioning Board. ICO says the board will be required to pay the penalty amount by July 22 or serve a notice of appeal by July 19.
In a statement, the ICO notes: "The sensitive information was inadvertently left on the computer and sold by a data destruction company employed by NHS Surrey since March 2010 to wipe and destroy their old computer equipment. The company carried out the service for free, with an agreement that they could sell any salvageable materials after the hard drives had been securely destroyed."
The U.K. breach highlights the importance of ensuring sensitive data is properly handled when records or equipment containing that information is slated for destruction by third-party vendors.
In another recent case involving the failure to destroy patient information, Texas Health Harris Methodist Hospital Fort Worth recently disclosed it is contacting 277,000 patients to inform them of a breach involving decades-old microfiche medical records that were slated for destruction but were instead found intact in a public dumpster in a park (see: Texas Breach Affects 277,000).
Details of U.K. Case
According to the ICO, NHS Surrey on May 29, 2012, was contacted by a member of the public who had recently bought a second-hand computer online and found that it contained the details of patients' treated by NHS Surrey.
NHS Surrey retrieved the computer and found confidential sensitive personal data and HR records, including patient records on approximately 900 adults and 2,000 children, on the device.
After that discovery, "NHS Surrey managed to reclaim a further 39 computers sold by the trading arm of their new data destruction provider. Ten of these computers were found to have previously belonged to NHS Surrey - three of which still contained sensitive personal data," the ICO statement says.
The ICO's investigation found that NHS Surrey lacked a contract with the data destruction services provider "which clearly explained the provider's legal requirements under the Data Protection Act, and failed to observe and monitor the data destruction process," according to the ICO statement.
The investigation also found that NHS Surrey could not find its records of the equipment turned over for destruction between March 2010 and Feb 10, 2011, and was only able to confirm that 1,570 computers were processed between Feb. 10, 2011, and May 28, 2012. "The data destruction company was unable to trace where the computers ended up, or confirm how many might still contain personal data," according to the statement.
"The facts of this breach are truly shocking," Eckersley says. "NHS Surrey chose to leave an approved provider and handed over thousands of patients' details to a company without checking that the information had been securely deleted. The result was that patients' information was effectively being sold online."
Eckersley adds: "We should not have to tell organizations to think twice before outsourcing vital services to companies who offer to work for free."
The ICO makes available on its website guidance explaining how old IT equipment containing personal information should be securely destroyed in compliance with the U.K.'s Data Protection Act.