A member of the public purchased one of these PCs via the auction site and discovered that it contained sensitive patient data. He reported the details to NHS Surrey, which collected the computer and found that it still contained records relating to 900 adults and 2000 children.
NHS Surrey had a PC disposal arrangement with an approved contractor. However, a second contractor offered to do the work for free provided it could resell any salvageable equipment. NHS Surrey's IT team decided to accept this offer without involving the Trust's accountable officer for information governance. Furthermore, the IT team did not obtain a written contract for the work nor oversee the actual data destruction; although it did receive written assurances that data on disks would be destroyed.
The PC in question was one of 28 bought by a third-party company from the salvage organization, who had collected 235 hard drives from NHS Surrey on February 14, 2012. NHS Surrey reclaimed the PCs and checked them against the data destruction certificates it had received from the salvage company. Three still contained sensitive personal data. However, NHS Surrey has not been able to trace the majority of PCs disposed via the salvage company.
The ICO head of enforcement, Stephen Eckersley, said, “The facts of this breach are truly shocking. NHS Surrey chose to leave an approved provider and handed over thousands of patients’ details to a company without checking that the information had been securely deleted. The result was that patients’ information was effectively being sold online."
It would appear that the data on the drives had been deleted rather than securely wiped since the data is only recoverable via file recovery software. This, however, does not satisfy the ICO. “This breach is one of the most serious the ICO has witnessed and the penalty reflects the disturbing circumstances of the case," added Eckersley. "We should not have to tell organizations to think twice, before outsourcing vital services to companies who offer to work for free.”
Dave Anderson, VP at Voltage Security, believes the incident highlights the danger of 'tick box' compliance. The IT team thought it was compliant because it believed it was destroying the data securely – that particular box could be ticked. However, "a data-centric approach will protect data across the entire life cycle of that information," suggested Anderson. "If the data itself is protected, it won't matter where it resides – there will be no way to access it."
Chris McIntosh, CEO of ViaSat UK, agrees that encryption should be used as a matter of course within the NHS. "When dealing with such sensitive information, it should be protected from unauthorized access from cradle to grave: for example, if such data was encrypted when first stored then even a slip-up in disposal would not put it in danger of being compromised."