ICO issues second highest data breach fine for internet leak of sensitive health records

Out-Law News | 19 Jun 2012 | 1:54 pm | 3 min. read

A public health body in Northern Ireland has been ordered to pay a £225,000 fine after patient and staff records left at an abandoned hospital site were photographed by trespassers and posted on the internet.

The Information Commissioner's Office (ICO) served Belfast Health and Social Care (BHSC) Trust with the civil monetary penalty (11-page / 54KB PDF) after determining that the body had been guilty of a serious breach of the Data Protection Act (DPA). BHSC told Out-Law.com that it had accepted the fine.

Patient medical records, X-rays, scans and lab results, as well as unopened payslips belonging to staff were left in Belvoir Park Hospital after its closure in 2006. On "several occasions" trespassers subsequently gained access to the site and took photographs of the records and posted them online, the ICO said.

After becoming aware of the data breach BHSC conducted inspections of some of the buildings at the hospital in 2010. The inspections uncovered "a large quantity of patient and staff records ... some dating back to the 1950s," the ICO said.

However, a full inspection of the hospital site was not conducted until May 2011 following media reports that it was still possible to obtain unauthorised access to the site, despite BHSC's action to improve security.

BHSC's full inspection uncovered further records, "many of which" had been retained longer than they should have been under the Trust's own 'Records Retention and Disposal' policy, the ICO said. However, this finding was not disclosed to the ICO by BHSC and was only uncovered during the watchdog's own investigation.

The ICO said that the Trust breached the section of the DPA that requires organisations in control of personal data to take "appropriate technical and organisational measures ... against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data". The Act further requires organisations to be extra protective over sensitive personal data, such as patient medical records.

"In the circumstances, the data controller knew or ought to have known there was a risk that the contravention would occur unless reasonable steps were taken to prevent the contravention such as carrying out a full inspection of the site and making an inventory of the records at the outset; maintaining the integrity of the buildings that held any records; having the appropriate CCTV systems; intruder alarms; security lighting and a sufficient number of security guards to secure a 26 acre site pending its decommissioning," the ICO said in its monetary penalty notice.

"Further, taking over responsibility for more than 50 disused sites holding large amounts of confidential and sensitive personal data was a huge undertaking and in the restructure the data controller should have provided for the highest level of security. In the Commissioner’s view it should have been obvious to the data controller (as part of the NHS) that such a contravention would be of a kind likely to cause substantial distress to the data subjects due to the nature of the data involved," it said.

The watchdog added that it had factored in that BHSC had kept data "for longer than was necessary for its purposes" when considering what penalty to impose for the breach.

"The severity of this penalty reflects the fact that this case involved the confidential and sensitive personal data of thousands of patients and staff being compromised," Ken Macdonald, the ICO’s Assistant Commissioner for Northern Ireland, said in a statement. “The Trust failed to take appropriate action to keep the information secure, leaving sensitive information at a hospital site that was clearly no longer fit for purpose. The people involved would also have suffered additional distress as a result of the posting of this data on the Internet."

"The Trust has therefore failed significantly in its duty to its patients, and we hope that the action we’ve taken sets an example for all organisations that they must keep personal data secure, irrespective of where they choose to store it," Macdonald said.

Under the DPA the ICO has the power to issue penalties of up to £500,000 for serious data breaches. A £225,000 fine is the second highest ever issued by the ICO for a data breach, although BHSC will only have to pay £180,000 as its penalty if it does so by 16 July.

"Today Belfast Trust accepted the fine by the Information Commissioners Office for a serious breach of data storage," BHSC said in a statement. "The records concerned are historical and do not concern any current patients. This in no way excuses the distress this may have caused, something we apologise for. The fine will be paid from efficiency savings and will not affect patient care."

Earlier this month the ICO served Brighton and Sussex University Hospitals NHS Foundation Trust (BSUH) with a £325,000 civil monetary penalty after "highly sensitive personal data" was stolen from a hospital under its control and sold on eBay. BSUH said it would appeal against the decision and that it could not afford to pay the fine.