The data breach at Healthcare Locums Plc (HCL), a specialist NHS and private health recruitment agency, took place when a hard drive was transferred between the firm's offices in Skipton and Loughton, and subsequently sold on eBay.
According to the ICO, the hard drive, which contained doctors' security clearance and visa information, was apparently sold on eBay.
Infosecurity understands that the firm was unaware that the drive had gone missing, because it had no inventory that included the unit. The drive was eventually returned to the agency and wiped in June 2010.
Commenting on the case, Sally Anne-Poole, the ICO's enforcement group manager, said that the breach highlights the importance of making sure personal information is transported in a way that complies with the Data Protection Act.
"I am pleased that Healthcare Locums is taking remedial steps to make sure incidents like this one do not happen again. Mo Dedat, chief operating officer of Healthcare Locums Plc, has signed a formal Undertaking outlining that the organisation will ensure contracts are put in place between the organisation and any contractors it uses to process personal data on its behalf", she said.
"Healthcare Locums will also ensure that itineraries of equipment used to process personal data are maintained and updated in order to ensure any similar incidents are detected quickly and handled appropriately", she added.
According to Cyber-Ark's UK and Ireland director Mark Fullbrook, it is difficult to know where to start to comment on the case, including the fact that the information was not encrypted and the fact that its transfer wasn't logged - or the insecure method of transit used.
"Companies of all sizes regularly store and transfer highly sensitive information regarding their employees, but what matters most are the measures taken to protect the integrity of that data every step of the way", he said.
"With that in mind, aside from a blatant disregard for the terms within the Data Protection Act, HCL's biggest failure is toward those employees that entrusted personal information to the organisation", he added.