Health trust fined £225K for data breach at disused site

June 19, 2012

A healthcare trust in Northern Ireland has been hit with the second highest monetary penalty to date for breaching data protection laws.

The Information Commissioner’s Officer has ordered Belfast Health and Social Care (BHSC) Trust to pay £225,000.

The fine comes a matter of weeks after the watchdog levied a £325,000 penalty on the Brighton and Sussex University Hospitals (BSUH) Trust after 232 hard drives containing sensitive information were sold on an internet auction site. BSUH said it would be appealing the fine.

According to the ICO, the breach by BHSC involved personal data of thousands of patients and staff. The information included medical records, X-rays, scans and lab results, and staff records including unopened payslips.

The background to the breach was the merger of six local trusts in April 2007 into the BHSC Trust.

As part of the arrangements, BSHC took on the management of more than 50 largely disused sites. These sites included Belvoir Park Hospital, which consisted of approximately 40 separate buildings in which patients with cancer or fever were treated. It closed in 2006 but the Trust did not carry out an inspection when it took over the site.

BSHC did arrange for two permanent security guards for the site as well as five daily mobile patrols.

In March 2010 BSHC was told that trespassers had gained access to Belvoir Park and taken photos of patient records before posting them online. The most recent photographs are thought to have been taken in or around May 2010, although the ICO has accepted that very few of the data subjects were identifiable from these photographs.

The Trust carried out inspections of seven buildings at the site and discovered a significant quantity of patient and staff records, including some that dated back decades. But parts of the site were not inspected because they were either locked or inaccessible, amid concerns about asbestos contamination. Many of the records had been damaged by damp and mould.

The Trust did take steps to improve the security of the site, such as repairing windows. However, in April 2011 the Irish News reported that the security of the data had again been compromised.

BSHC increased the number of security guards at the Belvoir Park Hospital site to four. It also carried out a full inspection. This found further records that – according to the ICO – were being retained in breach of BSHC’s records retention and disposal policy.

The watchdog said records on the site were stored either in boxes, in cabinets, on shelves or on the floor. The patient records included approximately 100,000 paper medical records as well as x-rays, microfiche records, hard copies of medical scans, lab results, paper ward records and various letters. Some 15,000 staff records were held in a building that had been vacated in 1992.

The ICO said it accepted that approximately 20% of the patient records were likely to relate to deceased individuals and would not be covered by the Data Protection Act.

A subsequent investigation by the watchdog concluded that the Trust had failed to keep the information secure and also to securely destroy medical documents which it no longer required.

BSHC has now removed patient records from the site and examined them and either retained or securely disposed of them as required, the ICO said. The Trust also implemented a decommissioning policy on 6 June 2011.

The fact that BSHC did not report the situation at the site to the ICO was seen as an aggravating factor when setting the amount of the monetary penalty.
The watchdog also said: “Taking over responsibility for more than 50 disused sites holding large amounts of confidential and sensitive personal data was a huge undertaking and in the restructure the data controller [BSHC] should have provided for the highest level of security.”

The ICO’s Assistant Commissioner for Northern Ireland, Ken Macdonald, said: “The severity of this penalty reflects the fact that this case involved the confidential and sensitive personal data of thousands of patients and staff being compromised.

“The Trust failed to take appropriate action to keep the information secure, leaving sensitive information at a hospital site that was clearly no longer fit for purpose. The people involved would also have suffered additional distress as a result of the posting of this data on the Internet.”

Macdonald added: “The Trust has therefore failed significantly in its duty to its patients, and we hope that the action we’ve taken sets an example for all organisations that they must keep personal data secure, irrespective of where they choose to store it.”

Philip Hoult