The Brighton and Sussex University Hospitals NHS Trust has been hit with pound 325,000 monetary penalty for breaching the Data Protection Act.
The penalty is the highest since the Information Commissioner's Office (ICO) was granted the power to issue civil monetary penalties up to pound 500,000 in April 2010.
The penalty relates to the discovery of highly sensitive personal data belonging to tens of thousands of patients and staff on hard drives sold on internet auction site eBay in October and November 2010.
The data included details of patients’ medical conditions and treatment, disability living allowance forms and children’s reports. It also included documents containing staff details including national insurance numbers, home addresses, ward and hospital IDs, and information referring to criminal convictions and suspected offences.
The ICO said the data breach occurred when an individual engaged by the trust’s IT service provider, Sussex Health Informatics Service (HIS), was asked to destroy about 1,000 hard drives held in a room accessed by key code at Brighton General Hospital in September and October 2010.
In December 2010, a data recovery company bought four hard drives on eBay from a seller who had purchased them from the individual who was asked to destroy them.
"Although the ICO was assured in our initial investigation following this discovery that only these four hard drives were affected, a university contacted us in April 2011 to advise that one of their students had purchased hard drives via an internet auction site that also contained data which belonged to the Trust," the ICO said.
Brighton and Sussex University Hospitals NHS Trust has been unable to explain how at least 252 of the disks were removed from the hospital.
The pound 325,000 penalty reflects the gravity and scale of the data breach, said the ICO’s deputy commissioner and director of data protection, David Smith.
"It sets an example for all organisations - both public and private - of the importance of keeping personal information secure," Smith said.
"That said, patients of the NHS in particular rely on the service to keep their sensitive personal details secure.
"In this case, the trust failed significantly in its duty to its patients, and also to its staff," Smith said.
The trust has committed to providing a secure central store for hard drives and other media, reviewing the process for vetting potential IT suppliers, obtaining the services of a fully accredited ISO 27001 IT waste disposal company and making progress towards central network access.
However, the trust disputes the ICO's findings, especially that it was negligent, and plans to appeal to the Information Tribunal in one of the first challenges by a public sector organisation against a penalty issued by the ICO.
"We arranged for an experienced NHS IT service provider to safely dispose of our redundant hard drives and acted swiftly to recover, without exception, those that their sub-contractor placed on eBay," said Duncan Selbie, chief executive of Brighton and Sussex University Hospitals.
"No sensitive data has therefore entered the public domain. We reported all of this voluntarily to the Information Commissioner’s Office, who told me last summer that this was not a case worthy of a fine," he said.
Selbie said the ICO has ignored the Trust's extensive representations.
"It is a matter of frank surprise that we still do not know why they have imposed such an extraordinary fine despite repeated attempts to find out, including a freedom of information request which they interestingly refused on the basis that it would 'prejudice the monetary penalty process'," said Selbie.
Selbie said that, during a time of austerity, the trust had to ensure more than ever that it delivers the best and safest care to patients with the money available.
"We simply cannot afford to pay a pound 325,000 fine and are therefore appealing to the Information Tribunal," he said.