Blackpool NHS Trust Hit with £185K Privacy Fine

Data protection watchdog the Information Commissioner’s Office (ICO) has been forced to issue another major fine to an NHS trust after a serious privacy snafu which took the hospital 10 months to notice.

Blackpool Teaching Hospitals NHS Foundation Trust is on the receiving end of a £185,000 fine this time, after accidentally publishing highly sensitive and confidential data about its employees, including NI numbers, dates of birth, religious beliefs and sexual orientation.

Ten months after the incident the Trust finally realized its mistake, but then took a further five months to notify affected staff, the ICO said in an online notice.

The privacy error came about after administrators published annual equality and diversity metrics online in the form of a spreadsheet, without realizing that the information in question could be read simply by double clicking the doc.

“This trust played fast and loose with the highly sensitive and private information that was entrusted to them. It seems they ignored their duty to put rules in place to protect staff who deliver hospital services to others,” said ICO head of enforcement, Stephen Eckersley, in a statement.

“Any measures taken to protect this information from reaching the public domain were woefully inadequate or non-existent. The fact that the error went unnoticed for so long beggars belief.”

A similar error involving ‘hidden’ data led to a £175,000 fine for the Torbay Care Trust back in 2012, and Islington Council a year later, which was fined £70,000.

The NHS is notorious for errors in data handling which have exposed the details of countless patients and staff over the years.

Most recently, East Sussex NHS Trust was forced to apologize last year after staff lost an unencrypted USB stick containing the details of 3000 patients.

In fact, of the 1677 self-reported data loss ‘incidents’ from 2014/15, a whopping 439 – just over a quarter – came from the health sector, according to the ICO’s annual report.   

One of the largest fines came in 2012 when Brighton and Sussex University Hospitals NHS Trust was hit with a £325,000 penalty following the loss when hard drives containing data on tens of thousands of patients appeared on eBay.

What’s Hot on Infosecurity Magazine?