DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

UK: Man made redundant fined for stealing sensitive information

Posted on May 23, 2013 by Dissent

Infosecurity-Magazine.com reports on an insider breach where the consequences just don’t seem severe enough. The breach occurred on April 28, 2011, and was prosecuted by the Information Commissioner’s Office under Section 55 of the Data Protection Act:

When he learned that he was being made redundant from his position as Community Health Promotions Manager at a council-run leisure center, he emailed sensitive medical information on 2471 people to himself to help establish his own new company.

Paul Hedges managed the council-run Active Options GP referral service at the Bitterne Leisure Center, Southampton. This service allowed local GPs to refer patients with certain health conditions (such as obesity, diabetes, arthritis, and cardiac and mild mental health issues) to the leisure center for fitness training. The process required the transfer of some medical notes from the GP to the leisure center.

[…]

Yesterday at West Hampshire Magistrates Court he was fined £3,000 and ordered to pay a £15 victim surcharge and £1,376 prosecution costs. Information Commissioner Christopher Graham used the incident to press his campaign for tougher sanctions. “This case shows why there is a need for tough penalties to enforce the Data Protection Act,” he said. “At very least, behavior of this kind should be recognized as a ‘recordable offense’ which it isn’t now. For the most serious cases the current ‘fine only’ regime will not deter and other options including the threat of prison should be available. The necessary legislation for this is already on the statue book but needs to be activated.”

[…]

Dan Worth of V3 also reports on the case. The Information Commissioner’s Office press release on the case can be found here.

Over here, this would be one of those “exceeding authorized access” charges, I think. Certainly, criminal charges could be brought here, and I would have liked to have seen criminal charges with possible jail time in this U.K. case, as this is theft of sensitive information for purposes of financial gain. I agree with the ICO that just financial penalties aren’t enough to deter.

In this case, the ICO did not find fault with Southampton Council, as reported by Infosecurity Magazine:

In this instance, an ICO spokesman told Infosecurity that it considered that the council had taken adequate precautions to protect the data, including limiting access to those with a ‘need to know’. Hedges, however, had that need for access, and the ICO decided that it was his illegal act rather than any negligence on the part of the council that was to blame.

What are the boundaries here, though? Should a data controller like the council have no responsibility for preventing an insider breach other than issuing login credentials to those authorized to access a database? I realize this happened in April 2011, but should councils be expected to have protections in place that would prevent the extraction of data via email attachments to employees’ personal email accounts? What’s reasonable to expect of data controllers?

Category: Health Data

Post navigation

← Vendini hacked; customers’ credit card numbers possibly accessed
EEOC Gets Tough With Companies on Genetic Privacy →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Data breach of patient info ends in firing of Miami hospital employee
  • Texas DOT investigates breach of crash report records, sends notification letters
  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon
  • US govt login portal could be one cyberattack away from collapse, say auditors

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant
  • US State Dept. says silence or anonymity on social media is suspicious

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.