NHS Trust to appeal £375k data loss penalty

An NHS Trust is to appeal against a proposed monetary penalty of £375,000 after after patient records were stolen from a hospital and sold on eBay.

The data was taken from Brighton General Hospital in September 2010, according to the BBC.

The Brighton and Sussex University Hospitals NHS Trust, says disks containing the patient data had been sold by a contractor employed to destroy them.

The Trust is challenging what would be the heaviest money penalty to date to be imposed by the Information Commissioner’s office because it was the victim of a crime, it told Outlaw.com.

"We subcontracted the destruction of these hard drives to a registered contractor who subsequently sold them on eBay," Duncan Selbie, chief executive of the Trust said in a statement.

"We are confident that there is a very low risk of any of the data from them having passed into the public domain,” he said.

In a statement the ICO said it is "currently making inquiries into a possible breach of the Data Protection Act and is unable to speculate on what action will be taken at this time."

The ICO has the power to issue penalties of up to £500,000 for serious data breaches. The ICO can issue notices indicating what punishment it considers appropriate for any breach, but can change or withdraw the proposed penalty after considering representations by the organisation involved.

The biggest penalty issued by the ICO so far is £130,000 to Powys County Council for sending details of a child protection case to the wrong recipient.

The proposed £375,000 penalty comes just weeks after the ICO published an information rights strategy in which the health sector is identified as one of the priority areas.

Other priority areas are: credit and finance, criminal justice, internet and mobile services, and security.