Hospital fined £200,000 after hard drive full of patient data bought on eBay

[Erica Absetz <erica () riskbasedsecurity com>]

http://news.techworld.com/security/3457470/hospital-fined-200000-after-hard-drive-full-of-patient-data-bought-on-ebay/

The ICO has hit NHS Surrey with a £200,000 ($300,000) fine after a
“shocking” lapse allowed a member of the public to buy a hard drive
containing the records of 3,000 patients that had supposedly been sent
for secure destruction.

The issue came to light when the individual contacted the former NHS
Trust in May 2012 after using recovery software to reveal the records
of 2,000 children and 900 adults on a second-hand drive inside a PC
reportedly bought on eBay.

This turned out to be part of a larger consignment of PCs handed over
to a third-party company on the proviso that the hard drives and their
data were destroyed. Ten further drives inside PCs that had belonged
to NHS Surrey were discovered to have been sold on in this way despite
certificates showing their claimed disposal; a further three contained
confidential data.

The ICO's published rebuke reveals a catalogue of failures, starting
with poor oversight of the company asked to dispose of the drives.
Assurances that the drives would be physically destroyed were taken at
face value as were the subsequent destruction certificates.

No members of the IT team observed the destruction or took time to
carry out a risk assessment of the firm's processes or reliability.
More surprising, the contractor was engaged to carry out disposal
despite NHS Surrey already using a separate supplier for the same
task.

The ICO's judgement does not speculate on the reasons behind NHS
Surrey's decision to use a new and unproven firm for disposal; the
contractor did not charge NHS Surrey for the service on the basis that
the PCs were supplied free of charge, the ICO noted.

Uncomfortably, between February 2011 and May 2012, the contractor
picked up 1,570 PCs containing hard drives marked for disposal, the
fate of some of which was now open to doubt, the ICO said.

“The facts of this breach are truly shocking. NHS Surrey chose to
leave an approved provider and handed over thousands of patients’
details to a company without checking that the information had been
securely deleted,” said the ICO's head of enforcement,  Stephen
Eckersley,

“The result was that patients’ information was effectively being sold
online. This breach is one of the most serious the ICO has witnessed
and the penalty reflects the disturbing circumstances of the case,” he
said.

“We should not have to tell organisations to think twice, before
outsourcing vital services to companies who offer to work for free.”

The theme of storage media turning up in the public domain containing
private data is far from new. In 2012 the ICO published the results of
its own survey that found that one in ten hard second-hand drives
turned out to contain personal data.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss-discuss

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.