1. ITV Report

Patient files sold on eBay

The Royal Sussex County Hospital Photo: ITV Meridian

An NHS trust has been fined £325,000 by a data protection watchdog after highly sensitive files of tens of thousands of patients, including details of HIV treatment, ended up being sold on eBay.

Brighton and Sussex University Hospitals NHS Trust was given the penalty because it failed to ensure hard drives containing the information were wiped after they were handed over to a contractor.

The fine from the Information Commissioner's Office (ICO) is the highest issued by the watchdog since it was granted the power in April 2010.

The Trust's IT service provider, Sussex Health Informatics Service (HIS), was tasked to destroy information on around 1,000 hard drives in September and October 2010 that were held in a room accessed by key code at Brighton General Hospital.

But they handed the job over to an unnamed individual sub contractor who did not wipe the drives and he took at least 252 out of the hospital and 232 of them found their way on to the internet in October and November 2010.

He was arrested by police but no charges were brought over the incident, the trust said.

The highly sensitive personal data included details of patients' medical conditions, such as sexually transmitted diseases and treatment, disability living allowance forms and children's reports.

It also included documents containing staff details like National Insurance numbers, home addresses, ward and hospital IDs, and information referring to criminal convictions and suspected offences.

Today the trust said it disputed the ICO'S finding and said it would appeal.

It said it had recovered all the disks and no information had got into the public domain and it could not afford the fine.

The breach of data protection was discovered when a data recovery company bought four hard drives from a seller on eBay in December 2010, who had purchased them from the sub contractor.

It alerted the authorities and initially the ICO were told four hard drives were affected.

But then a university contacted the ICO in April 2011 to say that one of their students had purchased trust hard drives via the internet auction site.

The ICO said the trust has been unable to explain how the individual removed the hard drives they were supposed to wipe from the hospital during their five days on site as he was supervised and did not know the code for the door.

The ICO's deputy commissioner and director of data protection David Smith said: "The amount issued in this case reflects the gravity and scale of the data breach.

"It sets an example for all organisations - both public and private - of the importance of keeping personal information secure.

"That said, patients of the NHS in particular rely on the service to keep their sensitive personal details secure. In this case, the Trust failed significantly in its duty to its patients, and also to its staff."

Chief executive of Brighton and Sussex University Hospitals, Duncan Selbie said in a statement: "We dispute the Information Commissioner's findings, especially that we were reckless, a requirement for any fine.

"We arranged for an experienced NHS IT service provider to safely dispose of our redundant hard drives and acted swiftly to recover, without exception, those that their sub-contractor placed on eBay.

"No sensitive data has therefore entered the public domain. We reported all of this voluntarily to the Information Commissioner's Office, who told me last summer that this was not a case worthy of a fine.

"The Information Commissioner has ignored our extensive representations. It is a matter of frank surprise that we still do not know why they have imposed such an extraordinary fine despite repeated attempts to find out, including a freedom of information request which they interestingly refused on the basis that it would "prejudice the monetary penalty process".

"In a time of austerity, we have to ensure more than ever that we deliver the best and safest care to our patients with the money that we have available.

"We simply cannot afford to pay a £325,000 fine and are therefore appealing to the Information Tribunal."

The trust said that the fine would pay for the delivery of 300 babies, 50 hip operations, 30 heart bypasses and 360 chemotherapy treatments.

The Trust is now providing a secure central store for hard drives and other media and reviewing the process for vetting potential IT suppliers.