NHS trusts failing to protect patient data despite landmark fine

Report shows healthcare providers at risk of fines after Brighton trust rapped when harddrives are sold on the internet

Despite Brighton and Sussex University Hospitals NHS Trust being fined £260,000 following the discovery of highly-sensitive patient data on hard drives sold on an internet auction site, NHS trusts in the UK are still failing to properly audit commercial suppliers, putting them at risk of similar sanctions, a new report claims.

Research by Aston Information Security reveals that just 14% of acute trusts have properly audited commercial third party suppliers, a failing that could leave them open to massive fines under the Data Protection Act.

Patients of the NHS in particular rely on the service to keep their sensitive personal details secure. In this case, the trust failed significantly in its duty to its patients, and also to its staff

The study comes in the same week that Brighton and Sussex University Hospitals NHS Trust paid out £260,000 to the Information Commissioner’s Office (ICO), the highest fine since the ICO was granted the power to issue civil monetary penalties (CMPs) in April 2010.

The fine for the Brighton trust, which was originally set at £325,000, but was reduced due to prompt payment, followed the discovery of highly-sensitive personal data belonging to tens of thousands of patients and staff, including some relating to HIV and genito urinary medicine patients, on hard drives sold on an internet auction site in October and November 2010.

The data included details of patients’ medical conditions and treatment, disability living allowance forms and children’s reports. It also included documents containing staff details including National Insurance numbers, home addresses, ward and hospital IDs, and information referring to criminal convictions and suspected offences.

The data breach occurred when an individual engaged by the trust’s IT service provider, Sussex Health Informatics Service (HIS), was tasked to destroy approximately 1,000 hard drives held in a room accessed by key code at Brighton General Hospital. A data recovery company bought four hard drives from a seller on an internet auction site in December 2010, who had purchased them from the individual.

The fine for Brighton and Sussex University Hospitals NHS Trust signals that trusts cannot outsource their accountability for the security of data. They should not be relying on clauses in contracts to protect them

Although the ICO was assured in an initial investigation following the discovery that only these four hard drives were affected, a university later revealed that one of their students had also purchased hard drives via an internet auction. An examination of the drives established they too contained data which belonged to the trust.

During the probe, the trust was unable to explain how the individual removed at least 252 of the approximate 1,000 hard drives they were supposed to destroy from the hospital during their five days on site. They are not believed to have known the key code needed to access the room where the drives were stored, and were usually supervised by staff working for HIS. However, the trust acknowledged that the individual would have left the building for breaks, and that the hospital is publicly accessible.

Following the incident, the ICO’s deputy commissioner and director of data protection, David Smith, said: “The amount of the CMP issued in this case reflects the gravity and scale of the data breach. It sets an example for all organisations - both public and private - of the importance of keeping personal information secure. That said, patients of the NHS in particular rely on the service to keep their sensitive personal details secure. In this case, the trust failed significantly in its duty to its patients, and also to its staff.”

Trusts make their next information governance declarations in March and it will be interesting to see how many have taken actions to reduce the unnecessary exposure of data loss and risk following this fine

As a result, the trust has now committed to providing a secure central store for hard drives and other media and is reviewing the process for vetting potential IT suppliers.

But the research by Aston Information Security, which is based on 191 responses, suggests lessons are still to be learned across the wider healthcare sector. And director, Jason Parker-Smith, warns that a lack of thorough checks and procedure audits on suppliers will open up trusts to PR crisis situations and large-scale fines.

He said: “The NHS Information Governance toolkit encourages trusts to audit commercial third parties that supply services. The fine for Brighton and Sussex University Hospitals NHS Trust signals that trusts cannot outsource their accountability for the security of data. They should not be relying on clauses in contracts to protect them.”

He added: “To reduce their risks trusts should either audit their suppliers or insist that if they are providing services that involve data that they are ISO 27001 certified.

“Trusts make their next information governance declarations in March and it will be interesting to see how many have taken actions to reduce the unnecessary exposure of data loss and risk following this fine.”

Companies