• Home
    Home This is where you can find all the blog posts throughout the site.
  • Categories
    Categories Displays a list of categories from this blog.
  • Tags
    Tags Displays a list of tags that has been used in the blog.
  • Bloggers
    Bloggers Search for your favorite blogger from this site.
  • Team Blogs
    Team Blogs Find your favorite team blogs here.
  • Login

NHS Surrey fined £200,000

Posted by on in Nsure Technology
  • Font size: Larger Smaller
  • Hits: 2052
  • Print

NHS Surrey has been fined £200,000 by data regulators over the loss of sensitive information about more than 3,000 patients. Thousands of children's patient records were found on a second-hand NHS computer that was auctioned on eBay, the BBC understands.

Regulators said NHS Surrey failed to check that a data destruction company had properly disposed of the records. Three further computers that had been sold on eBay contained sensitive data.

UK watchdog the Information Commissioner's Office (ICO) imposed the fine on the trust after patients across Surrey were affected by the data loss.

"The facts of this breach are truly shocking," ICO head of enforcement Stephen Eckersley said in a statement. "NHS Surrey chose to leave an approved provider and handed over thousands of patients' details to a company without checking that the information had been securely deleted, the result was that patients' information was effectively being sold online."

A Department of Health spokesperson said: "We take the loss of personal data very seriously.

At the time NHS Surrey contacted patients involved to make them aware of the data breach. "This case is currently the subject of legal proceedings."

The breach was one of the most serious that the ICO had seen, the data watchdog added. NHS Surrey was alerted to the data loss by a member of the public who had purchased an old NHS computer and found patient records.

Upon investigation, the trust discovered the computer contained the health records of 2,000 children and 900 adults, plus a number of NHS human resources records. A further 39 computers that had been sold by the data destruction company were recovered during the course of the investigation, with sensitive records found on three of the hard disks.

The data destruction company had offered free disposal of the computers in exchange for the sale of salvageable materials. The company promised to crush the computer hard disks using an industrial guillotine, but NHS Surrey failed to monitor the destruction process, the ICO ruled, and did not have a contract in place that explained the legal requirements of the data destruction.

In this instance had a third party financial loss arisen directly from the loss of the third party data then a cyber-liability insurance policy would have responded and paid all sums that you may become legally obliged to pay, including claimants cost and expenses, but not fines imposed.


For more information about how Nsure can help insure your business against cyber-attacks, please either email Geoff Stanbridge at This email address is being protected from spambots. You need JavaScript enabled to view it. or call 01903 520200


Adapted from BBC News UK website article 12th July 2013

Rate this blog entry:
Trackback URL for this blog entry.

Super User has not set their biography yet