Belfast Health and Social Care Trust

Posted on 19 June 2012 by BreachMaster

Breach details

What	Loss of sensitive personal data.
How much	About 10,000 records.
When	May 2010
Why	Confidential and sensitive personal data consisting of patient and staff records, dating as far back as the 1950s, were stored in a disused site. The site had security guards but the CCTV and intruder alarms had fallen into disuse and overall security was weak. Intruders gained access to the site and posted photographs of the physicals records there on the internet. Despite security upgrades following this incident intruders were able to gain access to the site on a second occasion. The security breaches were not reported to the ICO.

Regulatory action

Regulator	ICO
Action	Monetary penalty of £ 225,000
When	19 June 2012

Why the regulator acted

Breach of act	Site was insufficiently secure to prevent intrusion. Inappropriate organisational and technical measures.
Known or should have known	The insufficient amount of security was “clear”, and security upgrades after the first intrusion were clearly insufficient.
Likely to cause damage or distress	Medical records and financial data of employees.

Links

View PDF of the Belfast Health and Social Care Trust Monetary Penalty Notice (Breach Watch Archive)

View PDF of the Belfast Health and Social Care Trust Monetary Penalty Notice (Via ICO Website)

Brighton and Sussex University Hospitals NHS Trust

Posted on 1 June 2012 by BreachMaster

Breach details

What	Loss of sensitive personal information.
How much	79,000 records.
When	March 2008
Why	Initially four hard drives sold eBay in October and November 2010 were found to contain were found to contain sensitive personal data of both patients and staff. Despite the Trust’s assurance that these were the only drives lost, further hard drives were recovered by the ICO after being sold on eBay. The Trust was unable to explain how an unnamed individual, who was sub-contracted by a sub-contractor to the IT supplier to the Trust to destroy the 1,000 hard drives, managed to remove at least 252 of the 1,000 hard drives he was supposed to be destroying from the hospital during his five days on the premises. Despite the security precautions taken there were insufficient records taken to provide a reliable audit trail of which hard drives were and were not destroyed.

Regulatory action

Regulator	ICO
Action	Monetary penalty of £ 325,000
When	1 June 2012

Why the regulator acted

Breach of act	Failure to select a data processor able to provide gurantees of technical security – loss of hard drives. Inappropriate organisational and technical measures.
Known or should have known	Data controller was used to dealing with such information on a daily basis and the huge volume of personal data on the hard drives was an obvious risk.
Likely to cause damage or distress	Medical Data of Patients.

Links

View PDF of the Brighton and Sussex University Hospitals NHS Trust Monetary Penalty Notice (Breach Watch Archive)

View PDF of the Brighton and Sussex University Hospitals NHS Trust Monetary Penalty Notice (Via ICO Website)

View the Brighton and Sussex University Hospitals response to the penalty (external archive)

Central London Community Healthcare NHS Trust

Posted on 21 May 2012 by BreachMaster

Breach details

What	Inappropriate disclosure of sensitive personal data.
How much	59 records.
When	28 March 2011
Why	On 45 occasions over a number of weeks inpatient lists were accidentally faxed to a member of the public, when it was believed they were bring faxed to the appropriate number. Procedures were in place to confirm the arrival of faxed lists, however miscommunication meant that only one reception of the lists was being confirmed, while a second fax number actually belonged to a member of the public.

Regulatory action

Regulator	ICO
Action	Monetary penalty of £ 90,000
When	21 May 2012

Why the regulator acted

Breach of act	Inpatient lists faxed to incorrect recipients. Lack of sufficient policies to prevent such an event. Inappropriate organisational and technical measures.
Known or should have known	Staff were used to dealing with impatient data and were aware of its sensitivity, hence having fax protocols.
Likely to cause damage or distress	Medical data of patients.

BW Observations

This was the first Monetary Penalty Notice to be appealed to the Information Tribunal. The appeal was heard in December 2012 and the decision released on 15 Jan 2013. The appeal was rejected.

Links

View PDF of the Central London Community Healthcare NHS Trust Monetary Penalty Notice (Breach Watch Archive)

View PDF of the Central London Community Healthcare NHS Trust Monetary Penalty Notice (Via ICO Website)

View PDF of the Information Tribunal Decision.

An analysis of the tribunal decision at the Panopticon blog. (Interestingly barristers from 11KBW acted for both the Commissioner and the Trust)

Aneurin Bevan Health Board

Posted on 30 April 2012 by BreachMaster

Breach details

What	Loss of sensitive personal data.
How much	One records.
When	24 March 2011
Why	A secretary accidentally sent a letter containing sensitive personal information to the wrong person. The correct patient’s surname had been spelt two different ways by a doctor and the letter lacked any other identifiers, and the secretary accidently chose the wrong record from the electronic patient record system.

Regulatory action

Regulator	ICO
Action	Monetary penalty of £ 70,000 Undertaking issued to ensure that the checking processes to confirm patient identity prior to issuing correspondence, recommended by an internal investigation, must immediately be adopted across all the data controller’s sites.
When	30 April 2012

Why the regulator acted

Breach of act	Letter sent to the wrong recipient. Letters should not be dispatched without being checked by management. Inappropriate organisational and technical measures.
Known or should have known	Staff were used to dealing with sensitive data, but management allowed secretaries to simply rely on the electronic system rather than double checking.
Likely to cause damage or distress	Medical data.

Links

View PDF of the Aneurin Bevan Health Board Monetary Penalty Notice (Breach Watch Archive)

View PDF of the Aneurin Bevan Health Board Monetary Penalty Notice (Via ICO Website)

View PDF of the Aneurin Bevan Health Board Undertaking (Breach Watch Archive)

View PDF of the Aneurin Bevan Health Board Undertaking (Via ICO Website)

South London Healthcare NHS Trust

Posted on 11 April 2012 by BreachMaster

What

Loss of sensitive personal data.

How much

Approximately 750 records

Why

Two unencrypted memory sticks were lost, one two separate occasions. A clipboard of ward lists was left in a grocery store and some patient paper files were inadequately secured when not in use.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that portable and mobile media devices containing personal data are encrypted to a sufficient standard and that staff are made aware of, and trained in, data protection policies.

Reason for action

On all of these occasions, staff were either unaware that the memory sticks they used should have been encrypted, or had removed or failed to secure data in breach of in-place policies.

When

11 Apr 2012

Links

View PDF of the South London Healthcare NHS Trust Undertaking (Via ICO Website)

View PDF of the South London Healthcare NHS Trust Undertaking (Breach Watch Archive)

St Georges Healthcare NHS Trust

Posted on 27 March 2012 by BreachMaster

What
Loss of sensitive personal data.

How much
22,000 records.

Why
6 unencrypted laptops containing the personal data of a number of patients were stolen from a locked office.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the data controller take all reasonable measures to ensure the physical security of personal data. Mobile media devices must be encrypted to a suitable standard. Adequate checks must be carried out on contractor’s staff. All staff must receive adequate data protection training.

Reason for action
Due to network connection problems patient data had been stored on laptop C drives contrary to Trust policy and was not encrypted.

When
27 March 2009

Links
View PDF of the St Georges Healthcare NHS Trust Undertaking (Breach Watch Archive)

University Hospitals Coventry & Warwickshire NHS Trust

Posted on 27 October 2011 by BreachMaster

What

Loss of sensitive personal data on two occasions.

How much

One record and 18 records.

Why

A patient’s medical record was allegedly found in a waste bin outside Coventry’s University Hospital by a member of the public. Two months previously the records of 18 patients were found in a public waste bin in a residential apartment block.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that policies relating to the storage, use, disposure and removal from the premises of personal information are made clear to staff and that compliance is monitored.

Reason for action

The short time between the two incidents suggested that insufficient measures were being taken to safeguard personal data.

When

27 October 2011.

Links

View PDF of the University Hospitals Coventry & Warwickshire NHS Trust Undertaking (Via ICO Website)

View PDF of the University Hospitals Coventry & Warwickshire NHS Trust Undertaking (Breach Watch Archive)

Dartford and Gravesham NHS Trust

Posted on 4 October 2011 by BreachMaster

What

Accidental destruction of achieved records containing sensitive personal data.

How much

10,000 records.

Why

Records accidently placed in a disposal room.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that data is physically secure against destruction.

Reason for action

Due to a lack of space in achieves, records were placed in a disposal room and accidently disposed of.

When

04 October 2011.

Links

View PDF of the Dartford and Gravesham NHS Trust Undertaking (Via ICO Undertaking)

View PDF of the Dartford and Gravesham NHS Trust Undertaking (Breach Watch Archive)

Poole Hospital NHS Trust

Posted on 4 October 2011 by BreachMaster

What

Loss of sensitive personal data.

How much

240 records.

Why

Theft of two diaries stolen from a nurses’ car.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that data is kept physically secure both at home and in the work place and that personal data is kept to the minimum required and anonymised where possible.

Reason for action

The diaries contained information the nurse might need off hours, but were kept, unsecured, in her car outside her home.

When

04 October 2011.

Links

View PDF of the Poole Hospital NHS Trust Undertaking (Via ICO Website)

View PDF of the Poole Hospital NHS Trust Undertaking (Breach Watch Archive)

Royal Liverpool and Broadgreen University Hospitals NHS Trust

Posted on 15 September 2011 by BreachMaster

What

Loss of sensitive personal data on two occasions.

How much

22 records and 27 records.

Why

Ward handover sheets were discovered in a street near the hospital.
A clinic bag containing paper documents was stolen from a staff members’ car.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that staff are made aware of the requirements for keeping data secure.

Reason for action

Both occasions seem to have been caused by staff failing to take the proper precautions.

When

15 September 2011.

Links

View PDF of the Royal Liverpool and Broadgreen University Hospitals NHS Trust Undertaking (Via ICO Website)

View PDF of the Royal Liverpool and Broadgreen University Hospitals NHS Trust Undertaking (Breach Watch Archive)

FCA/FSA (7)	£ 7,777,000
ICO DPA (55)	£ 5,573,500