A data destruction company, which was first hired by NHS Surrey in March 2010 to wipe or destroy its old computer equipment, had apparently failed to wipe the PC in question before selling it. The company provided the service for free in exchange for the right to sell salvageable materials after all data had been erased.
The trust discovered the problem on May 29, 2012, when it was contacted by a member of the public whe had purchased the computer and found that it contained sensitive data.
NHS Surrey then found three more computers sold on eBay by the data destruction provider, which also contained personal information from the trust.
According to the ICO, NHS Surrey had no contract in place with the data destruction provider, and had failed to monitor the data destruction process. It also had no record of the equipment passed for destruction between March 2010 and February 2011.
"The facts of this breach are truly shocking," ICO head of enforcement Stephen Eckersley said in a statement. "NHS Surrey chose to leave an approved provider and handed over thousands of patients' details to a company without checking that the information had been securely deleted. The result was that patients' information was effectively being sold online."