A significant detail in the Brighton and Sussex University Hospitals NHS Trust breach?
Today’s Out-law.com reports that the individual who stole hard drives from the hospital and then sold them on eBay was an employee of the contractor they had hired to destroy the drives.
Brighton and Sussex University Hospitals NHS Trust told Out-Law.com that hard drives containing patient data had been sold on the auction website by a contractor it employed to destroy them. A spokesperson for the Information Commissioner’s Office (ICO) said the watchdog had proposed fining the Trust £375,000 over the incident. The Trust has challenged the suggested penalty.
“We were the victims of a crime,” Duncan Selbie, chief executive of Brighton and Sussex University Hospitals NHS Trust said in a statement. “We subcontracted the destruction of these hard drives to a registered contractor who subsequently sold them on eBay.”
Previous coverage of this case had not made clear that the thief was an employee of the contractor. The Argus had named the contractor as Sussex Health Informatics Service.
But if it is true that it was a dishonest contractor’s employee who was responsible, doesn’t a £375,000 fine by the ICO seem exorbitant and unreasonable? The contractor is a registered contractor for the NHS, so what did the trust presumably do wrong?
I look forward to finding out more about why the ICO was/is reportedly prepared to fine them for this incident.