Encryption News

NHS Breaches the Data Protection Act

June 2012

Brighton and Sussex University Hospitals NHS Trust has been served with the highest monetary penalty, £325,000, to be issued by the Information Commissioners Office thus far.

The NHS Trust breached the Data Protection Act, placing tens of thousands of patients and employees highly sensitive data at risk.  Data including details of patients medical conditions and treatment as well as children reports, also employee details. Employee data included National Insurance numbers, addresses, hospital IDs and other sensitive information.

NHS failed to ensure that a large number of hard drives, holding the sensitive information, destined to be destroyed on site, were actually destroyed. It has since been realised that a number of these hard drives containing the personal information of some NHS patients and employees had been auctioned on an internet site and some known to have been purchased by a data recovery company and a university student.

NHS was unable to account for 252 hard drives that were removed from a secured hospital room at Brighton General Hospital, resulting in a breach of sensitive data.

NHS is not a newcomer with regards to data breaches of the Data Security Act. Various NHS trusts have found themselves in the same predicament. Just last month, May 2012, Central London Community Healthcare NHS Trust was fined £90,000 following a breach of the Data Protection Act. Patient lists containing personal data of 59 individual was faxed over a 3 month period to the incorrect recipient, without notice, they were intended for St Johns Hospice.

The first NHS organisation to receive a penalty, the Welsh Health Board, was issued a penalty of £70,000 in April 2012, for a breach of the Data Protection Act. This was decided following the investigation into a patient report that contained sensitive details which was sent to the wrong person, a former patient with a similar name.

The size of the penalties incurred by the NHS on various occasions is proportionate to the level of data breach. The NHS handles and holds large volumes of personal sensitive data of patients and staff in various forms. Patients rely on the NHS to ensure that their personal information is always secure, however the NHS have proven to fail significantly at achieving this on many occasions.

Information Commissions Office (ICO)

http://www.ico.gov.uk/news/latest_news/2012.aspx