03 July 2012


Custodians of health data sometimes walk away from medical records and responsibilities, with a particularly egregious Australian example being the Dore clinic noted here.

The UK Information Commissioner (ICO) - counterpart of Australia's OAIC - has hit Belfast Health & Social Care (BHSC) Trust with a £225,000 Civil Monetary Penalty over a serious breach of the Data Protection Act. The Trust was responsible for the management of over 50 largely disused sites, including Belvoir Park Hospital. In March 2010 the Trust was alerted that trespassers had gained access to the Belvoir Park site, taken photos of patient records and posted them online.

That breach involved the sensitive personal data of thousands of patients, including notes, X-rays, scans and lab results. It also involved staff records such as unopened payslips. Media reports indicate that some records were offered for sale on the net. Others apparently featured in horror movie videos - in the style of The Blair Witch Project? - made by intruders who accessed the buildings and got to play around with medical records, used x-ray machines, lab equipment and other kit.

A superficial search of sites such as Flickr reveals a large number of snaps of the interiors of various buildings, medical equipment and piles of files. That's consistent with the vogue for 'asylum gothick' evident in for example Asylum: Inside the Closed World of State Mental Hospitals (MIT Press 2009) by Christopher Payne.

The Commissioner reports that the Trust -
carried out inspections of seven buildings at the hospital and a large quantity of patient and staff records were discovered, some dating back to the 1950s. However, some parts of the site were not inspected because they were either locked or inaccessible, due to concerns about asbestos contamination
While the Trust took action to improve the security of the site, including repairing damaged doors and windows, on 11 April 2011, the Irish News reported that it was still possible to access the site without authorisation. The Trust then increased the number of security guards on site and carried out a full inspection which revealed further records, many of which were being retained in breach of the Trust’s ‘Records Retention and Disposal’ policy. 
The Trust failed to report the situation at the Belvoir Park site to the ICO. The ICO’s investigation found that the Trust failed to keep the information secure and also to securely destroy medical documents which it no longer required.
The Commissioner comments that -
The Trust failed to take appropriate action to keep the information secure, leaving sensitive information at a hospital site that was clearly no longer fit for purpose. The people involved would also have suffered additional distress as a result of the posting of this data on the Internet. “The Trust has therefore failed significantly in its duty to its patients, and we hope that the action we’ve taken sets an example for all organisations that they must keep personal data secure, irrespective of where they choose to store it.
The  Commissioner has meanwhile imposed a £325,000 penalty on the Brighton & Sussex University Hospitals NHS Trust over exposure of "highly sensitive personal data belonging to tens of thousands of patients and staff" via Trust hard drives sold on an internet auction site in 2010.

The breach occurred when the Trust’s IT service provider was asked to destroy some 1000 hard drives held at Brighton General Hospital. A data recovery company bought four hard drives from a seller on the auction site.
Although the ICO was assured in our initial investigation following this discovery that only these four hard drives were affected, a university contacted us in April 2011 to advise that one of their students had purchased hard drives via an Internet auction site. An examination of the drives established that they contained data which belonged to the Trust. .... The Trust has been unable to explain how the individual removed at least 252 of the approximate 1000 hard drives they were supposed to destroy from the hospital during their five days on site.
The data included -
  •  details of patients’ medical conditions and treatment, disability living allowance forms and children’s reports. 
  • documents containing staff details including National Insurance numbers, home addresses, ward and hospital IDs, and information referring to criminal convictions and suspected offences.