Anatomy of a Breach

Anatomy of a Breach: NHS Hard Drives on eBay — Patient Records Sold for Pennies

> series: anatomy_of_a_breach —— part: 022 —— target: nhs_brighton_sussex —— hard_drives: 252 —— sold_on: ebay —— fine: £325,000<span class="cursor-blink">_</span>_

Hedgehog Security 31 October 2010 12 min read
data-breach nhs hard-drives ebay patient-data data-destruction supply-chain ico-fine series
Breach #022

252 hard drives. Tens of thousands of patients. Sold on eBay.

Between October and November 2010, 252 hard drives decommissioned by Brighton and Sussex University Hospitals NHS Trust were sold on eBay. The drives contained tens of thousands of patient records — names, addresses, dates of birth, NHS numbers, medical histories, and detailed clinical information. The Trust had contracted a data destruction company to securely destroy the drives. The contractor did not destroy them. Instead, they sold them as second-hand storage devices on eBay.

The breach was discovered when a member of the public purchased drives from eBay and found patient data intact. The ICO's investigation confirmed that the Trust had failed to adequately oversee the contractor's destruction process — there was no verification that the drives had actually been destroyed, no audit trail, and no certificate of destruction obtained for individual devices. The ICO imposed a fine of £325,000, its largest NHS penalty, which the Trust initially challenged (claiming it could not afford the fine) before settling at a reduced £260,000.

The Supply Chain Failure
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Paying someone to destroy data does not mean it was destroyed.

This breach was not caused by a hacking attack, a software vulnerability, or a configuration error. It was caused by a failure of supply chain oversight — the Trust outsourced data destruction to a contractor and did not verify that the destruction actually occurred. The contractor, instead of shredding or degaussing the drives as contracted, sold them for profit on eBay with patient data intact.

No Verification of Destruction
The Trust did not obtain certificates of destruction for individual drives, did not audit the contractor's destruction process, and did not verify that the contracted service was actually performed. This is the outsourcing equivalent of assuming your backup works without ever testing a restore — the theme of our <a href="/blog/anatomy-of-a-breach-sidekick-cloud-data-loss">Sidekick article</a>.
No Encryption on Decommissioned Drives
If the drives had been encrypted in use, the data would have been unreadable even if the drives were sold. Full-disk encryption — a <a href="/cyber-essentials">Cyber Essentials</a> requirement — provides defence in depth against data exposure from lost, stolen, or improperly decommissioned hardware.
No Asset Tracking
252 hard drives left the Trust's control without adequate tracking. There was no serial number registry, no chain-of-custody documentation, and no reconciliation between drives sent for destruction and destruction confirmations received. Our <a href="/penetration-testing/infrastructure">security assessments</a> include data disposal procedures as a standard review area.
NHS Surrey Had the Same Problem
Brighton and Sussex was not the only NHS trust to have decommissioned hard drives appear on eBay. NHS Surrey was fined £200,000 for a similar incident — patient records on drives sold online by a destruction contractor. The pattern indicated a systemic failure in NHS hardware decommissioning procedures, not an isolated incident.
Lessons

Secure disposal is a security control, not an administrative task.

For any organisation handling sensitive data — patient records, financial information, personnel files — the secure disposal of hardware containing that data is a security control that requires the same rigour as any other control: documented procedures, technical enforcement (encryption, degaussing, physical destruction), verification that the control operated effectively, and audit trails that provide evidence.

Cyber Essentials certification addresses device security including secure disposal. Our infrastructure assessments review data disposal procedures and supply chain oversight. For healthcare organisations, the DSPT expects evidence of secure disposal practices. SOC in a Box for Healthcare provides ongoing monitoring of your active systems, while our assessment services verify that your decommissioning procedures protect data after systems are retired. For incident response when improperly disposed data is discovered, UK Cyber Defence provides forensic investigation.

Secure Disposal

When did you last verify that your data destruction contractor actually destroyed the data?

Our <a href="/penetration-testing/infrastructure">security assessments</a> include data disposal procedure reviews. <a href="/cyber-essentials">Cyber Essentials</a> establishes baseline device security. Because paying someone to destroy your data is not the same as verifying that they did.

Commission a Security Assessment Next: Zeus Botnet Arrests
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 30 April 2010

Anatomy of a Breach: Belvoir Park Hospital — When Criminals Walked In and Photographed the Records

Breach #016 in our Anatomy of a Breach series. In 2010, criminals physically broke into Belvoir Park Hospital in Belfast, photographed patient and staff records — some dating back to the 1950s — and uploaded them online. Despite enhanced physical security following the first breach, a second incident occurred in 2011. The ICO fined the Belfast Health and Social Care Trust £225,000. A breach that proved cyber security means nothing if someone can walk through the door.

data-breach belvoir-park
11 min read
Anatomy of a Breach 30 June 2020

Anatomy of a Breach: Blackbaud — The Charity Software Vendor That Exposed UK Universities, NHS Trusts, and Charities

Breach #138. In July 2020, Blackbaud — a cloud computing provider serving nonprofits, charities, and educational institutions — disclosed that ransomware attackers had accessed and exfiltrated customer data before the company detected and stopped the attack. Blackbaud controversially paid the ransom and stated it had received 'confirmation' the data had been destroyed. The breach affected hundreds of organisations worldwide — including UK institutions such as the National Trust, the University of Birmingham, De Montfort University, Young Minds charity, and multiple NHS trusts. Blackbaud later admitted that the breach was more extensive than initially disclosed.

data-breach blackbaud
13 min read
Anatomy of a Breach 31 October 2011

Anatomy of a Breach: NHS Trust Fines 2011 — The Pattern That Would Not Break

Breach #034. Throughout 2011, UK NHS trusts continued to suffer data breaches and ICO enforcement action at an alarming rate — faxes sent to wrong numbers exposing palliative care patients, laptops lost with medical records, and the ongoing fallout from the Brighton hard drives on eBay. The ICO's new monetary penalty powers, granted after the HMRC scandal, were being exercised repeatedly against the NHS. A pattern of systemic failure in the sector that holds the UK's most sensitive data.

data-breach nhs
12 min read
All Posts Get in Touch