NHS Surrey fined £200,000 for allowing PC with records of over 3,000 patients to be sold on eBay

A regulator has fined NHS Surrey £200,000 after a second hand computer sold on eBay was found to hold records of over 3,000 patients.

The Information Commissioner's Office (ICO) said that they were made aware of the sensitive information by a member of the public who found the information.

Confidential data included the personal records of around 900 adults and 2000 children. NHS Surrey has provided old computers to a data destruction company since March 2010, which has a responsibility to erase information on the systems before selling them on.

NHS Surrey mislaid the records of the equipment passed for destruction between March 2010 and 10 February 2011, and was only able to confirm that 1,570 computers were processed between 10 February 2011 and 28 May 2012. The data destruction company was unable to trace where the computers ended up, or confirm how many might still contain personal data.


Stephen Eckersley, ICO head of enforcement, said:

The facts of this breach are truly shocking. NHS Surrey chose to leave an approved provider and handed over thousands of patients’ details to a company without checking that the information had been securely deleted. The result was that patients’ information was effectively being sold online.

This breach is one of the most serious the ICO has witnessed and the penalty reflects the disturbing circumstances of the case. We should not have to tell organisations to think twice, before outsourcing vital services to companies who offer to work for free.