An NHS hospital is trying to establish how a hard drive containing confidential information on patients was sold on eBay.
Dudley Group of Hospitals trust launched an inquiry after the existence of the data was brought to its attention by Glamorgan University. The university attempts data recovery on 250 hard drives a year that have been purchased second-hand through outlets such as eBay or computer fairs under a scheme sponsored by BT.
Researchers examined the drive – which was owned by the trust before appearing on the auction website - and were able to recover the confidential information.
The trust has outsourced its IT services to Siemens Medical under the terms of a private finance initiative contract, while Siemens in turn subcontracts the disposal of obsolete equipment to Computer Disposals.
Trust chief executive Paul Farenden said: “All hard drives that leave the trust via this route are subjected to data wiping which meets the UK government’s standard of being over-written three times.”
But the rogue hard drive appears not to have gone through this disposal route.
“Unfortunately an investigation into how this particular hard drive has been openly purchased has not been able to identify the route at this stage, and the trust is continuing with its efforts to identify the source including the possibility of theft,” Farenden said.
He added that Glamorgan University had securely wiped the data and assured the trust that it had not been disclosed by their researchers.
The trust and Siemens had carried out an internal investigation and developed a set of recommendations to prevent data from being left on disposed hard drives in future, Farenden added.
Recommendations, which will be put to the trust board, include a review and tightening of IT equipment disposal policies, a change to the contract between the NHS organisation and Siemens covering responsibility for disposal, and the purchase of a degausser to ensure that hard drives are wiped before they leave hospital premises.
The NHS has suffered other security breaches recently, with a laptop computer holding personal and financial information on 10,000 staff stolen from a Cornwall hospital in May. Another laptop – this time containing details of 11,500 child patients – was stolen from a Nottinghamshire primary care trust in March, but was later recovered.