We’ve talked about data breaches here at IT-Lex before, but this story is particularly remarkable. The National Health Service in the UK was just fined £200,000 (just over $300,000) after classified patient data was discovered on computers that had been sold on eBay. Oh dear.

Tech Week Europe reports:

The Information Commissioner’s Office (ICO) said it was one of the most serious data breaches it had ever seen, as a contractor for NHS Surrey failed to completely wipe and destroy 1570 hard drives containing the highly sensitive data.

The unnamed contractor said it would carry out the service for free, as long as it could sell any salvageable parts once the hard drives had been destroyed.

A member of the public bought the computer, and found data about “900 adults and 2000 children”. This individual called NHS Surrey, who then had to rush around and locate the other 39 computers that the contractor had sold. Of those recovered, three others also contained patient information. They’re not in the clear, yet though:

The majority of the hard drives put up for sale on the internet have not been recovered, meaning a lot of sensitive data remains online.

The ICO’s Head of Enforcement said in a statement:

Stephen Eckersley, ICO Head of Enforcement, said:

“The facts of this breach are truly shocking. NHS Surrey chose to leave an approved provider and handed over thousands of patients’ details to a company without checking that the information had been securely deleted. The result was that patients’ information was effectively being sold online.

“This breach is one of the most serious the ICO has witnessed and the penalty reflects the disturbing circumstances of the case. We should not have to tell organisations to think twice, before outsourcing vital services to companies who offer to work for free.”