Belfast trust fined £225k for breaching data of thousands

Belfast Health and Social Care (BHSC) Trust has been slammed with the second largest ever fine to be issued by the UK’s information watchdog, after a serious data breach saw the personal data of thousands of patients and staff compromised.

Sensitive data including medical records, X-rays, scans, lab results and staff records including unopened payslips were put at risk after information was posted online following the trust’s failure to secure information stored at a disused hospital site.

The trust has apologised for causing distress and has accepted the £225,000 monetary penalty from the Information Commissioner’s Office (ICO), which it said will be paid without impact on future patient care.

The breach occurred after trespassers gained access to the Belvoir Park Hospital in March 2010, one of more than 50 largely disused sites the trust managed. According to the ICO the trespassers took photographs of a number of patient records and posted them on the internet.

A large quantity of records, some of which dated back to the 1950s, were then found at the hospital during inspections carried out by the trust. But some parts of the site could not be inspected.

The trust improved site security, but reports emerged in April 2011 that the site could still be accessed without authorisation.

Security guard presence was then increased on site and the trust carried out a full inspection revealing further records, which according to the ICO breached trust record retention and disposal policy.

The Belfast trust also failed to report the situation to the ICO.

“The severity of this penalty reflects the fact that this case involved the confidential and sensitive personal data of thousands of patients and staff being compromised,” said Ken Macdonald the ICO’s assistant commissioner for Northern Ireland.

“The trust failed to take appropriate action to keep the information secure, leaving sensitive information at a hospital site that was clearly no longer fit for purpose.

“The people involved would also have suffered additional distress as a result of the posting of this data on the internet.”

Macdonald said the trust “failed significantly” in its duty to its patients.

A spokesman for the Belfast trust said they accepted the ICO’s fine. “The records concerned are historical and do not concern any current patients,” the spokesman said. “This in no way excuses the distress this may have caused, something we apologise for. The fine will be paid from efficiency savings and will not affect patient care.”

A number of other health bodies have been hit with fines by the regulator in recent weeks and months. The ICO does have the power to issue penalties of up to £500,000 for serious breaches of the Data Protection Act. Macdonald said the action taken against the Belfast trust should set an example for all organisations which he said “must keep personal data secure”.