Devon health trust fined £175,000 after accidentally publishing personal details of 1,000 staff. The "entirely avoidable" error, which saw a spreadsheet containing the equality and diversity responses of 1,373 staff published on the website of Torbay Care Trust, was only spotted when it was reported by a member of the public 19 weeks later, the ICO said. An investigation by the data protection watchdog after the breach, which occurred in April 2011, found that the Trust had no guidance for staff on what information should not be published online and did not have adequate checks in place to identify potential problems.
The amount of the penalty reflected the "very serious" nature of the breach, it said in its notice (10-page / 1.3MB PDF). The published information included "sensitive" information about the employees' religion and sexuality; as well as names, dates of birth and National Insurance numbers. The ICO said that it was unaware of any previous, similar breaches by the Trust and that no staff members had raised complaints. NHS trust to challenge largest ever £325k data breach fine. 01 June 2012 An NHS trust in Brighton has been slammed with a £325,000 fine by the Information Commissioner's Office (ICO) after hard drives were sold online containing sensitive data on tens of thousands of patients and staff. But the trust disputes the ICO's findings and is to appeal against the fine which it said it cannot afford. Brighton and Sussex University Hospitals NHS Trust was served with the largest ever data breach penalty, after it was discovered that highly sensitive personal data, some which belonged to HIV and Genito Urinary Medicine (GUM) patients, had been stored on hard drives sold on an internet auction site back in 2010, the ICO said.
Data was found to have included details of patients' medical conditions and treatment, disability living allowance forms and children's reports. National Insurance numbers, home addresses, ward and hospital IDs, and information on criminal convictions and suspected offences, were also discovered. NHS fined £375k after stolen patient data flogged on eBay. High performance access to file storage The Information Commissioner is proposing to issue its heaviest ever fine for a breach of UK data protection laws. It proposes fining a health body after patient records were stolen from a hospital and sold on eBay. Brighton and Sussex University Hospitals NHS Trust told Out-Law.com that hard drives containing patient data had been sold on the auction website by a contractor it employed to destroy them.
A spokesperson for the Information Commissioner's Office (ICO) said the watchdog had proposed fining the Trust £375,000 over the incident. The Trust has challenged the suggested penalty. "We were the victims of a crime," Duncan Selbie, chief executive of Brighton and Sussex University Hospitals NHS Trust said in a statement. "We subcontracted the destruction of these hard drives to a registered contractor who subsequently sold them on eBay. " The data was lost from Brighton General Hospital in September 2010, according to a report by the BBC. Patient details on stolen hard drives. Patient details on stolen hard drives 3:50pm Tuesday 10th January 2012 in News Confidential information belonging to tens of thousands of patients and staff were at risk of being exposed after computer hard drives were stolen and put up for sale on eBay. The hard drives were taken from computers in a locked store at Brighton General Hospital where they were being decommissioned.
Brighton and Sussex University Hospitals NHS Trust now faces a £375,000 fine from the Information Commissioner’s Office (ICO) for a breach of the data protection act. The trust says it will be contesting the fine. A 36-year-old man from Seaford was arrested on suspicion of theft and bailed several times but the Crown Prosecution Service decided to take no further action. The trust has been served with a notice of intent to fine by the ICO and has until January 23 to respond before a final decision is made. The incident relates to the theft of 232 drives out of 1,000 being decommissioned. More news from The Argus. Is self-policing enough to stop NHS records being viewed in India? - The Tony Collins Blog. Oracle’s customers in the UK alone include the Department for Work and Pensions, which pays out more than £100bn a year, and HM Revenue and Customs,which collects about £500bn. But NHS Shared Business Services also has some big figures in its marketing arsenal.
Annually it: - processes £29bn of payments - recovers £10bn of NHS debt - spends about £6bn through e-procurement. It’s the main supplier of payroll services to the NHS. SBS a 50:50 joint venture between Paris-based Steria and the Department of Health. Why isn’t SBS even bigger than it is? It’s remarkable that SBS isn’t even bigger than it is. Steria says that SBS will save the NHS £224m over 10 years. Indeed David Nicholson, the Chief Executive of the NHS in England, wrote to trust CEOs in 2009 asking them to justify keeping their corporate services in-house. Media controversy as NHS work is carried out in India Health records for sale? Would SBS attract more NHS Trusts if its activities in India were more transparent? Comment: Links: NHS loses more sensitive data. Another NHS Trust has misplaced an unencrypted USB stick containing sensitive data.
The East & North Hertfordshire NHS Trust has been found in breach of the Data Protection Act after the device was lost on a train. A junior doctor accidentally took the stick home with him, according to the Information Commissioner’s Office (ICO), which discovered the doctor in question had not been made aware of the Trust’s data protection policies. Furthermore, the doctor did not have access to email to receive policy reminders and updates, whilst no technical measures were in place to prevent misuse of portable devices. The stick, which was passed between doctors, contained brief details of patients’ conditions and medication.
“Storing sensitive personal data on unencrypted data sticks is a risk Trusts should not be willing to take,” said Mick Gorrill, head of enforcement at the ICO. “If it is vital to store information for handover, this must be done with the highest security measures in place. Information Commissioner’s Office (ICO) publishes details of the loss of children’s personal sensitive information. The ICO has published details of the action it has taken against three local authorities and an NHS trust following breaches of the Data Protection Act 1998 in relation to children’s medical records. The breaches were primarily caused by a lack of staff training on how to handle personal information and the findings serve as a useful reminder in relation to document storage for colleagues who work with children (as well as adults). The ICO’s press releases can be accessed here. The data breaches were as follows: The ICO has concluded that the losses were caused by a “systemic lack of training on how to handle personal information”.
Each organisation has given an undertaking to ensure it complies with the requirements to protect personal sensitive data aimed at ensuring preventative safeguards are in place when transferring or storing children’s personal information. Information Commissioner condemns Camden NHS for patient data lo. Press Releases - Information Commissioner's Office (ICO) The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. Skip navigation and jump to content News releases The ICO is committed to raising awareness of data protection and freedom of information rights, and to encouraging good practice.
Our archive goes back to 2010. 2014 archive 2013 archive 2012 archive Related items ICO blogOur thoughts on current information rights issues.Current topicsView the ICO's position on the latest freedom of information and data protection topics.Connect with the ICOKeep up to date with the ICO FAQs Read all our FAQs Subscribe to our e-newsletter Share this page We have placed cookies on your computer to help make this website better. Don't show this message again. A breach a day will keep the patients away - In most NHS Trusts, information security is high up the management agenda but low down the budgetary list. This is because the lack of a centralised pot of mandated and ring-fenced funding means that it is competing for money with higher priority issues such as patient care and the National Programme for IT (NPfIT) initiative at the same time that healthcare bodies are trying to balance their books.
The situation is also not helped by the autonomous nature of the Trusts themselves. The fact that each has its own management structure, its own modus operandi and its own budgets to set has resulted in information security funding, resourcing and practice varying widely between them. But that is not to say that such organisations are unaware of the sensitive nature of patient data or how emotive an issue it is for the public and individuals should it be lost or stolen. Knuckling down The Information Commissioner is not the only one who has been piling on the pressure. Data in transit. London Health Trust Warned After Data Breach - Camden PCT has un. Following a data leak incident, the Information Commissioner’s Office (ICO) in the UK has ordered (PDF) Camden Primary Care Trust (PCT) to ensure patient data safety when disposing of old computer equipment.
The trust risks being held in contempt of court, if it does not update the Office on the progress made until March 31. In August 2008, after several computers were decommissioned, they were left next to a skip on the grounds of St. Pancras Hospital. The computers, which subsequently disappeared and were never recovered, contained information on 2,500 patients, including their names, addresses and even diagnoses. The data was not encrypted. "The ICO takes all data breaches seriously. "Failure to meet the terms of the Enforcement Notice would be contempt of court and may lead to prosecution," is pinpointed in an ICO press release (PDF). According to Mr. This is not the first time that a care trust loses patient records.
Information Commissioner introduces £500,000 fines for data brea. April 06, 2010 From today, a deliberate or malicious data breach can be punished with a fine of up to £500,000. As announced by the Information Commissioner's Office (ICO) in January, a penalty of up to £500,000 can now be imposed for breaching the Data Protection Act. It said in its guide to data protection that it has ‘a statutory power to impose a financial penalty on an organisation if the Information Commissioner is satisfied that there has been a serious breach of one or more of the data protection principles by the organisation, and the breach was likely to cause substantial damage or distress'.
Speaking to SC Magazine last year, former Information Commissioner Richard Thomas said that ‘most insider incidents are accidental, but the damage can be very severe, with damage to the people whose data is compromised and to the company, leading to big fines, cost, reputational and share price damage all showing why it needs to be taken seriously'.
Cases data breach nhs - Latest technology news, reviews and down. The One Click Group - News Archives. 08 July 200970% of UK organizations hit by a data breach in the past year PGP Corporation announced the results of the third annual study by The Ponemon Institute, identifying the steps UK organizations are taking in order to safeguard their confidential data. The 2009 Annual Study: UK. Enterprise Encryption Trends study, which polled IT security professionals at 615 enterprises and public sector organizations, found that 70% of UK organizations have been hit by at least one data breach incident within the last year, up from 60% in the previous year. The number of firms experiencing multiple breaches was also up, with 12% of respondents admitting to more than five data loss incidents in the twelve month period (up from 3%).
Less than half of these breaches (43%) were publicly announced; there was no legal or regulatory requirement to disclose the remaining 57% of incidents. Key management is a major focus for UK businesses, accounting for 34% of all current spending on encryption. Enforcement cases - Data Protection Act (DPA) There are a number of tools available to the Information Commissioner’s Office for taking action to change the behaviour of organisations and individuals that collect, use and keep personal information.
They include criminal prosecution, non-criminal enforcement and audit. The Information Commissioner also has the power to serve a monetary penalty notice on a data controller. The tools are not mutually exclusive. We will use them in combination where justified by the circumstances. The main options are: Read details of the action we have taken in our Enforcement section Appeals from notices are heard by the First–tier Tribunal (Information Rights), part of the General Regulatory Chamber (GRC). Data-losing companies may be forced to spill to public • The Reg.
High performance access to file storage The European Commission will consider passing new laws forcing organisations that lose personal data to go public with that loss. The Commission has until now been opposed to the creation of wide-ranging data breach notification requirements. The Commission and European Council insisted that a data breach notification in a recent Telecoms Package of reforms only applies to telecoms companies.
The European Parliament had attempted to widen its scope. The Commission has now said that it will investigate the passing of new EU-wide legislation forcing all kinds of organisation to notify any data breaches to the relevant authorities and the people affected. "The Telecoms Reform has put the issue of mandatory notification of personal data breaches firmly on the European policy agenda," said Information Society Commissioner Viviane Reding at a meeting last week organised by the European Data Protection Supervisor (EDPS). Copyright © 2009, OUT-LAW.com.
Lost mental hospital memory stick had health records • The Regis. High performance access to file storage A USB memory stick containing personal information on patients and staff at a secure hospital near Falkirk has been found in a car park outside an Asda store in nearby Stenhousemuir. Data on the unencrypted device included names, addresses and (worse still) medical records of patients. A member of staff at the Tryst Park unit at Bellsdyke Hospital has been suspended over the incident, the BBC reports. The unit treats patients with severe mental health problems. A spokeswoman for NHS Forth Valley said: "We are very concerned to learn of this incident and are looking into it as a matter of urgency. We have clear policies in place on the safe use of portable data devices. "We can confirm a member of staff has been suspended in connection with this incident.
" “This incident shows yet again why data on USB drives must be encrypted at all times," said Nick Lowe, Check Point’s head of Western European sales. Privacy watchdog looks into NHS data breach | Security Threats |