http://news.techworld.com/security/3457470/hospital-fined-200000-after-hard-drive-full-of-patient-data-bought-on-ebay/
By John E Dunn
Techworld
14 July 2013
The ICO has hit NHS Surrey with a £200,000 ($300,000) fine after a
“shocking” lapse allowed a member of the public to buy a hard drive
containing the records of 3,000 patients that had supposedly been sent for
secure destruction.
The issue came to light when the individual contacted the former NHS Trust
in May 2012 after using recovery software to reveal the records of 2,000
children and 900 adults on a second-hand drive inside a PC reportedly
bought on eBay.
This turned out to be part of a larger consignment of PCs handed over to a
third-party company on the proviso that the hard drives and their data
were destroyed. Ten further drives inside PCs that had belonged to NHS
Surrey were discovered to have been sold on in this way despite
certificates showing their claimed disposal; a further three contained
confidential data.
The ICO's published rebuke reveals a catalogue of failures, starting with
poor oversight of the company asked to dispose of the drives. Assurances
that the drives would be physically destroyed were taken at face value as
were the subsequent destruction certificates.
[...]
--
Visit the new and improved InfoSec News website
http://www.infosecnews.org/
