The United Kingdom’s Information Commissioner’s Office (“ICO”) levied a $499,460 civil monetary penalty (“CMP”) to Brighton and Sussex University Hospitals after discovering staff and patients’ sensitive data contained on hard drives sold on Ebay in late 2010. The breach reportedly exposed tens of thousands of patients’ health information, including HIV status and treatment, other diagnostic and treatment information, disability living allowances and children’s reports. The Brighton and Sussex University Hospitals are NHS trust hospitals.
The breach occurred when the NHS trust’s information technology provider was set to destroy 1,000 hard drives held in a key access only room at Brighton General Hospital. A sub-contractor did not wipe or destroy the drives and took at least 252 out of the hospital. The majority of those found their way on to the internet for auction in October and November 2010.
This the largest fine issued by the ICO since it began issuing CMPs in April 2010 sending the clear message that the ICO intends to ensure compliance with the UK’s security and data protection regulations through their enforcement authority and by levying CMPs for those companies out of compliance.
