HSE facing inquiry into two leaks of patient data

The inquiry will examine how the HSE has been keeping sensitive personal data in paper records at external storage facilities. The data watchdog has been told about breaches of security at two such buildings.

“The breaches notified to the DPC related to two specific locations which were accessed by unauthorised third parties, and the circulation of videos taken from these locations showing paper medical records,” according to a spokesman for the privacy watchdog.

Last November, a video posted on TikTok featured a large number of historic patient files in a disused Donegal hospital. The records, including X-ray results and medical notes, were at the former St Conal’s psychiatric hospital in Letterkenny. The person who shot the video claimed they got into the building via an unlocked door.

Last night, the HSE confirmed that it had just received a notice of commencement of an inquiry from the DPC into two separate data breaches in 2023.

“We will co-operate fully with this inquiry,” it said. “The HSE takes all breaches of data protection seriously, and manages all breaches in line with data-protection legislation and HSE policy.”

The DPC was first notified of a breach by the HSE late last year, and has been interacting with the health service since.

Des Hogan, a commissioner with the DPC, said: “We were dealing with that and more information came to light, including videos which were circulating online of some of the material in these storage facilities. This ramped up our concern. We have decided on [that] basis to start an inquiry, and we will be looking at all HSE storage facilities.”

The DPC said it does not have precise information on how many patients’ records are affected by the data breach, but the number is “significant”, and it would be safe to say “thousands” are involved. It will look at what level of security the health service has in place to safeguard medical records.

Mr Hogan agreed that looking at all the HSE storage facilities would be a huge job, but would be done “piece by piece”.

In its new annual report, the DPC says it issued 19 finalised decisions last year resulting in fines totalling €1.55bn, as well as reprimands and compliance orders. The fines included €1.2bn on Meta after a GDPR inquiry into data transfers from the EU to America, and €345m on TikTok after an examination of the processing of personal data relating to children.

Last year, the DPC imposed fines ranging between €15,000 and €750,000, on five organisations. The largest was on Bank of Ireland for data breaches on its 365 app. Centric health was fined €460,000 following a ransomware attack affecting patient data held on its system. Some 70,000 patients were affected. In the case of 2,500 of them, their data was deleted and no back-up was available.

Overall, the DPC received 11,200 new complaints from individuals last year. It concluded a total of 11,147 cases.