The Information Commissioner’s Office (ICO) have fined the Belfast Health and Social Care Trust a staggering £225,000 after it was revealed that 115,000 patient and staff files were left behind after the hospital closed in 2006.
In total, there were 100,000 patient records and 15,000 staff files that were left behind. These records and files had been left on the floor, in cabinets or on shelves which obviously shows that there was a total disregard towards the security of this confidential data when it came to moving the files and records to a secure location.
The negligence towards the security of such confidential files is the main reason for the ICO imposing such a significant fine. The ICO stated, “The Trust failed to take appropriate action to keep the information secure, leaving sensitive information at a hospital site that was clearly no longer fit for purpose. The people involved would also have suffered additional distress as a result of the posting of this data on the internet.”
The ICO have also confirmed that all files and records have now been removed from the site and have been appropriately destroyed or filed away in an appropriate secure place.
The Belfast Health and Social Care Trust were given the responsibility to look after the 26 acre site which contains 40 separate buildings in 2007 when six separate Trusts merged into one overall Trust. When the Belfast Health and Social Care Trust took control, they employed two security guards on a permanent basis to patrol the grounds and organised five separate patrols to take place on a daily basis to assist them. CCTV and fire and intruder alarms were already in place but soon failed which left the patrolling guards with a near impossible job to ensure that trespassers didn’t break into any of the buildings.
At the end of 2007, trespassers managed to break into some of the buildings with the patrolling guards being unaware due to the CCTV and fire and intruder alarm systems being inoperative. The trespassers took photographs of the records and posted their finding on the internet.
The Trust didn’t find out about this until 2010 when someone else told them about the confidential information being posted on the internet. The Trust soon acted and started an investigation which couldn’t be conducted properly as certain areas of the site had been cordoned off because of asbestos concerns. The Trust also set about improving the security of the site and fixed damaged windows and doors. The apparent security improvements are seen to have been been futile as the Irish News reported that you could still get onto the site in April 2011.
This is yet another case of an NHS Trust showing negligence towards data belonging to patients and staff and surely an overall review into the handling of data needs to be conducted. The fact that patient records were just left on the floor and on shelves is staggering and it would be very interesting to see if plans were ever put in place to keep the files in a secure location when it was decided to close the hospital down.
