Breach details
| What | Loss of sensitive personal data. |
| How much | About 10,000 records. |
| When | May 2010 |
| Why | Confidential and sensitive personal data consisting of patient and staff records, dating as far back as the 1950s, were stored in a disused site. The site had security guards but the CCTV and intruder alarms had fallen into disuse and overall security was weak. Intruders gained access to the site and posted photographs of the physicals records there on the internet. Despite security upgrades following this incident intruders were able to gain access to the site on a second occasion. The security breaches were not reported to the ICO. |
Regulatory action
| Regulator | ICO | Action | Monetary penalty of £ 225,000 |
| When | 19 June 2012 |
Why the regulator acted
| Breach of act | Site was insufficiently secure to prevent intrusion. Inappropriate organisational and technical measures. |
| Known or should have known | The insufficient amount of security was “clear”, and security upgrades after the first intrusion were clearly insufficient. |
| Likely to cause damage or distress | Medical records and financial data of employees. |
Links
| View PDF of the Belfast Health and Social Care Trust Monetary Penalty Notice (Breach Watch Archive) |
| View PDF of the Belfast Health and Social Care Trust Monetary Penalty Notice (Via ICO Website) |