Â£225,000 Fine for Not Securing RecordsHealth Info Was Accessible At Unused Hospital Site
The UK Information Commissioner's Office has fined Belfast Health and Social Care Trust Â£225,000 for a breach incident related to sensitive patient information that was left at a closed hospital.
See Also: The Global State of Online Digital Trust
The compromised information included data on thousands of patients and staff, including medical records, X-rays and scans of lab results, as well as certain staff records, including unopened pay-slips, the ICO said in a release.
Six local trusts merged into the Belfast Health and Social Care Trust in 2007. As a result of the merger, BHSC Trust took on the responsibility of managing more than 50 largely unused sites, including Belvoir Park Hospital, the ICO notes.
Belvoir Park Hospital was broken into in March 2010, and the trespassers took photos of patient records, which were then posted online, according to the release.
The Trust responded to the incident by inspecting seven buildings at the hospital. A large quantity of patient and staff records was discovered, some dating back to the 1950s, the ICO explains.
After implementing stronger security at the site, including repairing doors and windows, a local newspaper in April 2011 reported that the site was still accessible. As a result, the Trust added more security guards and inspected the hospital further, discovering more records.
But the Trust failed to report the security situation at Belvoir Park Hospital to authorities, ICO contends.
The ICO's investigation determined that the Trust failed to keep information secure and securely destroy medical documents.
"The Trust failed to take appropriate action to keep the information secure, leaving sensitive information at a hospital site that was clearly no longer fit for purpose," says Ken Macdonald, the ICO's assistant commissioner for Northern Ireland. "The people involved would also have suffered additional distress as a result of the posting of this data on the Internet."
As a result of the incident, the Trust has since removed patient records from the site, retaining those still needed and securely disposing of others. The Trust also implemented a policy to ensure personal information is securely destroyed once it's no longer needed, the ICO said.
The Â£225,000 fine is the second largest issued by the ICO. In early June, the ICO issued a Â£325,000 fine against Brighton and Sussex University Hospitals NHS Trust for a breach involving hard drives containing healthcare information on tens of thousand of individuals that were sold on the Internet (see Largest UK Breach Penalty Appealed).