DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

ICO fines NHS Surrey for failing to check the destruction of old computers

Posted on July 12, 2013 by Dissent

From the U.K. Information Commissioner’s Office:

The Information Commissioner’s Office (ICO) has issued NHS Surrey with a monetary penalty of £200,000 after more than 3,000 patient records were found on a second hand computer bought through an online auction site.

The sensitive information was inadvertently left on the computer and sold by a data destruction company employed by NHS Surrey since March 2010 to wipe and destroy their old computer equipment. The company carried out the service for free, with an agreement that they could sell any salvageable materials after the hard drives had been securely destroyed.

On 29 May 2012 NHS Surrey was contacted by a member of the public who had recently bought a second-hand computer online and found that it contained the details of patients’ treated by NHS Surrey. The organisation collected the computer and found confidential sensitive personal data and HR records, including patient records relating to approximately 900 adults and 2000 children, on the device.

After being alerted to the problem, NHS Surrey managed to reclaim a further 39 computers sold by the trading arm of their new data destruction provider. Ten of these computers were found to have previously belonged to NHS Surrey; three of which still contained sensitive personal data.

The ICO’s investigation found that NHS Surrey had no contract in place with their new provider, which clearly explained the provider’s legal requirements under the Data Protection Act, and failed to observe and monitor the data destruction process.

NHS Surrey mislaid the records of the equipment passed for destruction between March 2010 and 10 February 2011, and was only able to confirm that 1,570 computers were processed between 10 February 2011 and 28 May 2012. The data destruction company was unable to trace where the computers ended up, or confirm how many might still contain personal data.

Stephen Eckersley, ICO Head of Enforcement, said:

“The facts of this breach are truly shocking. NHS Surrey chose to leave an approved provider and handed over thousands of patients’ details to a company without checking that the information had been securely deleted. The result was that patients’ information was effectively being sold online.

“This breach is one of the most serious the ICO has witnessed and the penalty reflects the disturbing circumstances of the case. We should not have to tell organisations to think twice, before outsourcing vital services to companies who offer to work for free.”

NHS Surrey was dissolved on 31 March 2013 with some of their legal responsibilities passing to the NHS Commissioning Board. The board will be required to pay the penalty amount by 22 July or serve a notice of appeal by 5pm on 19 July. The full penalty amount is eventually paid into the Treasury’s Consolidated Fund.

The ICO has produced guidance explaining how old IT equipment containing personal information can be securely destroyed in compliance with the Data Protection Act.

No related posts.

Category: Health Data

Post navigation

← TX: Personal info of 16,000 Harris County employees’ discovered in electronic files in Vietnam
Digging in their heels: Wyndham and LabMD challenge FTC’s authority in data security cases →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024
  • Battlefords Union Hospitals notifies patients of employee snooping in their records
  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.