Sale of Drive on eBay Leads to Fine

HIPAA Fine for data.png

Drive Slated for Destruction Contained Patient Data

Marianne Kolbasuk McGee

The UK's Information Commissioner's Office has issued a £200,000 ($300,000 U.S.) fine after a computer with a hard drive containing data on nearly 3,000 patients was sold on eBay.

"This breach is one of the most serious the ICO has witnessed, and the penalty reflects the disturbing circumstances of the case," says Stephen Eckersley, the ICO's head of enforcement.

The incident involved the now defunct NHS Surrey, a regional provider of primary care and other health services in the U.K.'s National Health Service. NHS Surrey was dissolved on March 31, 2013, with some of its legal responsibilities passing to the NHS Commissioning Board. ICO says the board will be required to pay the penalty amount by July 22 or serve a notice of appeal by July 19.

In a statement, the ICO notes: "The sensitive information was inadvertently left on the computer and sold by a data destruction company employed by NHS Surrey since March 2010 to wipe and destroy their old computer equipment. The company carried out the service for free, with an agreement that they could sell any salvageable materials after the hard drives had been securely destroyed."

The U.K. breach highlights the importance of ensuring sensitive data is properly handled when records or equipment containing that information is slated for destruction by third-party vendors.


e-End provides hard drive shredding and data destruction solutions validated by the highest eletronic ceritifcations to keep you compliant with GLB, SOX, FACTA, FISMA, HIPAA, ITAR.

We offer secured computer and electronics recycling services in Washington DC, Maryland, Virginia, Pennsylvania and Mid-Atlantic region.

Choosing e-End as your partner for IT Asset Disposition solution is the best way to recover your IT Asset value.

We also provide: Weapons Destruction - ITAR Destruction