An NHS Trust is disputing a record fine the Information Commissioner's Office has levelled on it for leaving tons of data on patients and staff on hard drives that were sold on eBay instead of being destroyed.
Brighton and Sussex University Hospitals NHS Trust was served a civil monetary penalty of £325,000, the highest handed out since the ICO got the power to lay financial smackdowns in April 2010. The Trust said it didn't agree with the ICO's findings and was appealing the fine.
The ICO claims that the private data of tens of thousands of patients and employees was left on the sold hard drives, including information from the HIV and Genito Urinary Medicine department, which included personal identifiers like dates of birth and occupations as well as sensitive medical data on their STD test results and diagnoses and sexual preferences. The database also held the names and dates of birth of 1,527 HIV positive patients.
While in this case the NHS hasn't actually killed anyone, their incompetence is truly staggering.
There are three obvious, quick and easy steps they could have taken:
- Delete the files - your average office admin should be capable of this much.
- Securely wipe the disks - standard practice for any competent sysadmin (at work we use standard Linux utilities that repeatedly write random ones and zeros over the disk).
- Take a hammer to the hard drive.
Not very difficult. Not the sort of task you need to contract out.
To this depressing but sadly familiar story of government incompetence we add the farce of the ICO fine. It's hard to see what possible good could come of this.
The Register subtitle sums it up nicely: the government fights itself over your money.