Hospital fined £200,000 after hard drive full of patient data bought on eBay

NHS Surrey failed to oversee destruction

The ICO has hit NHS Surrey with a £200,000 ($300,000) fine after a "shocking" lapse allowed a member of the public to buy a hard drive containing the records of 3,000 patients that had supposedly been sent for secure destruction.

The issue came to light when the individual contacted the former NHS Trust in May 2012 after using recovery software to reveal the records of 2,000 children and 900 adults on a second-hand drive inside a PC reportedly bought on eBay.

This turned out to be part of a larger consignment of PCs handed over to a third-party company on the proviso that the hard drives and their data were destroyed. Ten further drives inside PCs that had belonged to NHS Surrey were discovered to have been sold on in this way despite certificates showing their claimed disposal; a further three contained confidential data.

The ICO's published rebuke reveals a catalogue of failures, starting with poor oversight of the company asked to dispose of the drives. Assurances that the drives would be physically destroyed were taken at face value as were the subsequent destruction certificates.

No members of the IT team observed the destruction or took time to carry out a risk assessment of the firm's processes or reliability. More surprising, the contractor was engaged to carry out disposal despite NHS Surrey already using a separate supplier for the same task.

The ICO's judgement does not speculate on the reasons behind NHS Surrey's decision to use a new and unproven firm for disposal; the contractor did not charge NHS Surrey for the service on the basis that the PCs were supplied free of charge, the ICO noted.

Uncomfortably, between February 2011 and May 2012, the contractor picked up 1,570 PCs containing hard drives marked for disposal, the fate of some of which was now open to doubt, the ICO said.

"The facts of this breach are truly shocking. NHS Surrey chose to leave an approved provider and handed over thousands of patients' details to a company without checking that the information had been securely deleted," said the ICO's head of enforcement, Stephen Eckersley,

"The result was that patients' information was effectively being sold online. This breach is one of the most serious the ICO has witnessed and the penalty reflects the disturbing circumstances of the case," he said.

"We should not have to tell organisations to think twice, before outsourcing vital services to companies who offer to work for free."

The theme of storage media turning up in the public domain containing private data is far from new. In 2012 the ICO published the results of its own survey that found that one in ten hard second-hand drives turned out to contain personal data.

Join the CSO newsletter!

Error: Please check your email address.

Tags icoConfiguration / maintenanceNHSAssurancesecurityebayhardware systemsData Centre

More about eBayICO

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place