Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Hospital fined 200, 000 UKP after hard drive full of patient data bought on eBay

From: InfoSec News <alerts () infosecnews org>
Date: Mon, 15 Jul 2013 05:03:24 +0000 (UTC)
http://news.techworld.com/security/3457470/hospital-fined-200000-after-hard-drive-full-of-patient-data-bought-on-ebay/

By John E Dunn
Techworld
14 July 2013
The ICO has hit NHS Surrey with a £200,000 ($300,000) fine after a “shocking” lapse allowed a member of the public to buy a hard drive containing the records of 3,000 patients that had supposedly been sent for secure destruction.
The issue came to light when the individual contacted the former NHS Trust in May 2012 after using recovery software to reveal the records of 2,000 children and 900 adults on a second-hand drive inside a PC reportedly bought on eBay.
This turned out to be part of a larger consignment of PCs handed over to a third-party company on the proviso that the hard drives and their data were destroyed. Ten further drives inside PCs that had belonged to NHS Surrey were discovered to have been sold on in this way despite certificates showing their claimed disposal; a further three contained confidential data.
The ICO's published rebuke reveals a catalogue of failures, starting with poor oversight of the company asked to dispose of the drives. Assurances that the drives would be physically destroyed were taken at face value as were the subsequent destruction certificates. 

[...]

--
Visit the new and improved InfoSec News website
http://www.infosecnews.org/
Previous By Date Next
Previous By Thread Next

Current thread: