[ISN] Hospital fined 200, 000 UKP after hard drive full of patient data bought on eBay

http://news.techworld.com/security/3457470/hospital-fined-200000-after-hard-drive-full-of-patient-data-bought-on-ebay/ By John E Dunn Techworld 14 July 2013 The ICO has hit NHS Surrey with a £200,000 ($300,000) fine after a “shocking” lapse allowed a member of the public to buy a hard drive containing the records of 3,000 patients that had supposedly been sent for secure destruction. The issue came to light when the individual contacted the former NHS Trust in May 2012 after using recovery software to reveal the records of 2,000 children and 900 adults on a second-hand drive inside a PC reportedly bought on eBay. This turned out to be part of a larger consignment of PCs handed over to a third-party company on the proviso that the hard drives and their data were destroyed. Ten further drives inside PCs that had belonged to NHS Surrey were discovered to have been sold on in this way despite certificates showing their claimed disposal; a further three contained confidential data. The ICO’s published rebuke reveals a catalogue of failures, starting with poor oversight of the company asked to dispose of the drives. Assurances that the drives would be physically destroyed were taken at face value as were the subsequent destruction certificates. […]