Information Commissioner's Office fines NHS trust £175,000 for 'serious' security breach

An NHS trust has been fined a £175,000 penalty after a security breach led the personal details of more than 1,000 staffers to be published online.

Personal data including the names, dates of birth, national insurance numbers, and religious beliefs of employees of Devon’s Torbay Care Trust (TCT) were published on the Internet. While the breach did not contain any patient or clinical data, an Information Commissioner’s Office investigation found it to be “serious” and “extremely troubling”.

The ICO said the information was unintentionally published as a spreadsheet on the TCT’s website in April 2011, and was discovered only after a member of the public alerted authorities nearly five months later. It’s estimated that the spreadsheet was viewed 300 times before being taken down, though it’s unclear who accessed the data.

The results of the ICO investigation revealed that the trust did not have policies in place guiding employees on what kind of data should not be published online. The TCT also did not have sufficient checks to identify and address such situations. The watchdog maintained that no NHS staffers had complained about the security breach, and that the trust has since instituted information management policies to ensure that similar breaches do not occur.

“This was an organisational issue, in which the absence of sufficient checks within our processes made an error possible, and we have treated this with the utmost seriousness,” said the trust’s chief executive Anthony Farnsworth, noting that the ICO’s decision to impose a fine was disappointing.

"We have since implemented far more robust procedures for managing staff information to make this more secure, and to remove the risk of any such incidents occurring in the future.

Defending the decision to impose a six-figure fine, ICO head of enforcement Stephen Eckersley said, "Not only were they giving sensitive information out about their employees but they were also leaving them exposed to the threat of identity fraud.”

"If the data has in fact been accessed by untrustworthy third parties then it is likely that the contravention would cause further distress and also substantial damage to the data subjects such as exposing them to identity fraud and possible financial loss,” he added.