NHS Surrey has been fined £200,000 following one of the most serious data breaches seen by the Information Commissioner's Office (ICO).
The fine results from the loss of sensitive information about more than 3,000 patients – including 2,000 children. The patient records were allegedly found on a second-hand NHS computer that was auctioned on eBay. The ICO said that NHS Surrey had failed to check that the data destruction company it used had disposed of the records correctly. Three further computers sold on eBay also contained sensitive data.
In a statement, the data regulator's Head of Enforcement Stephen Eckersley said: "The facts of this breach are truly shocking. NHS Surrey chose to leave an approved provider and handed over thousands of patients' details to a company without checking that the information had been securely deleted." Mr Eckersley continued: "The result was that patients' information was effectively being sold online."
A spokesperson from the Department of Health said: "We take the loss of personal data very seriously. At the time NHS Surrey contacted patients involved to make them aware of the data breach. This case is currently the subject of legal proceedings."
The data loss was alerted to NHS Surrey by a member of the public who had purchased the computer and found the records.
The ICO's investigation involved recovery of a further 39 computers that had been sold by the data destruction company, of which three contained sensitive data on their hard drives. The company had allegedly offered free disposal of the computers in exchange for the sale of salvageable materials. It had undertaken to crush the hard disks using an industrial guillotine, but NHS Surrey failed to monitor the destruction process, nor did have a contract in place outlining the legal requirements of the data destruction.
The fine must be paid by 22 July or appealed by 19 July by the NHS Commissioning Board, as NHS Surrey was decommissioned in March following health service reforms.