An NHS hospital trust in the Midlands is trying to fathom how one of its computers came to be sold on eBay - along with copious dollops of confidential patient data.

The government demands that former NHS PCs containing patient data must be wiped by being over-written at least three times. The Dudley Group of Hospitals NHS Trust pays Siemens Medical Solutions to dispose of its old IT kit. As is the way of PFI agreements, Siemens then sub-contracts the actual graft to an outfit called Computer Disposals - 'experts' in disposing of obsolete IT.

According to the Trust, an internal investigation into the incident and developed recommendations to prevent data from being left on unwanted hard drives. Which is comforting.

To be fair to the Dudley Group, the confidential data was discovered only by researchers at Glamorgan University. The researchers get BT to go out and buy 250 hard drives a year from eBay and regional computer fairs, with the express intention of embarrassing organisations through finding sensitive and undeleted data.

But that's not going to make those who work for (or are sick in) the NHS feel any better about IT security therein. Let's not forget that earlier this year an online recruitment system for junior doctors publicly revealed personal information on application forms, including the young quacks' sexuality and religion.