The Information Commissioner's Office (ICO) has fined the Belfast Health and Social Care Trust 225,000 pounds (280,890 euros) for leaving unprotected staff data and medical records of patients in vacated hospital buildings.
The security breach of the Data Protection Act involved thousands of records, according to the ICO, the U.K.'s independent authority responsible for upholding information rights in the public interest.
The breach compromised approximately 100,000 medical records that included patients' paper files, radiology reports, x-ray films, hard copies of digital imaging exams, lab results, inpatient records, microfiches, and letters. About 15,000 staff records including unopened wage slips also were compromised. The records were stored on shelves, on floors, in boxes, and in cabinets.
The records were located in Belvoir Park Hospital, one of more than 50 largely disused sites under the management of the Belfast Health and Social Care Trust as a result of a merger of six local trusts in April 2007. The trust was notified in March 2010 that trespassers had broken into the Belvoir Park Hospital site, and had posted photos of a number of patient records on the Internet.
The trust discovered a large quantity of patient and staff records dating back to the 1950s, but did not inspect some parts of the site because they were either locked or inaccessible due to concerns about asbestos contamination. The trust subsequently repaired damaged doors and windows, but apparently did nothing about the records.
On 11 April 2011, the Irish News reported that it was still possible to access the site. Another inspection identified additional records, and approximately 20% were of patients who presumably were deceased.
According to the ICO, the trust failed to report the situation. The ICO's independent investigation determined that the trust failed to keep the records secure and also failed to destroy medical documents that were no longer required. This resulted in the issuance of the civil monetary penalty of 225,000 pounds.
Patient records have been removed from the site and securely disposed of as required. The Belfast organization has also implemented a decommissioning policy to destroy medical records securely when they are no longer needed.