Personal Medical Records Found Abandoned in HSE Data Breach
Science/Medical/Technology
Wednesday 29th, May 2024
This is something that is unfortunately seen often enough with urban explorers where they visit a previous medical facility and find medical records or tests with personal information, just left there.
The Data Protection Commissioner (DPC) has initiated an investigation into the Health Service Executive (HSE) following security breaches that compromised personal files stored in external facilities. The breaches involved the unauthorised access and online dissemination of paper medical records.
The DPC's inquiry centres on the HSE's methods for storing and retaining personal data in paper records managed at offsite storage locations. According to the Irish Examiner, the HSE alerted the DPC to the breaches occurring at two specific sites, which unauthorised third parties had accessed. Subsequent video footage showing these paper medical records was circulated online.
One incident reportedly took place at the now vacant St Conal's Psychiatric Hospital in Letterkenny, Co Donegal, where a video was posted on TikTok in November last year. This video showed an individual rifling through boxes of patient records. The second breach is believed to have occurred at a facility in Dublin.
The DPC received notifications about these breaches from the HSE, which acknowledged the incidents and pledged full cooperation with the investigation. A spokesperson for the HSE stated, "The HSE takes all breaches of data protection seriously and manages all breaches of data protection in line with data protection legislation and HSE policy".
DPC Chair Des Hogan mentioned that while the investigation was initially triggered by the two breach notifications, the Commission now aims to expand the scope of the probe to "look wider".
The launch of this investigation coincides with the release of the DPC's 2023 annual report, highlighting a record year for fines, with penalties amounting to €1.55 billion. This includes a notable €1.2 billion fine imposed on Meta in May 2023 over data transfers from the EU to the US. Additionally, in September 2023, the DPC fined TikTok €345 million following an investigation into the processing of children's data. Both Meta and TikTok are appealing these rulings in the High Court.
In 2023, the DPC also saw its decisions to impose administrative fines on five different organisations, ranging from €15,000 to €750,000, upheld in the Dublin Circuit Court. All these fines have been collected and transferred to the Irish Exchequer.
Among other significant fines, the DPC penalised the Bank of Ireland €750,000 in February 2023 for a series of data breaches related to its Banking 365 app, and Centric Health €460,000 in January 2023 following a ransomware attack affecting patient data.
The DPC's annual report also indicates a significant increase in activity, with 11,200 new cases from individuals in 2023, a 20% rise from 2022. Additionally, the Commission received 6,991 valid breach notifications last year, marking a similar 20% increase.
We expect more to come from this wider investigation by the DPC.
The Data Protection Commissioner (DPC) has initiated an investigation into the Health Service Executive (HSE) following security breaches that compromised personal files stored in external facilities. The breaches involved the unauthorised access and online dissemination of paper medical records.
The DPC's inquiry centres on the HSE's methods for storing and retaining personal data in paper records managed at offsite storage locations. According to the Irish Examiner, the HSE alerted the DPC to the breaches occurring at two specific sites, which unauthorised third parties had accessed. Subsequent video footage showing these paper medical records was circulated online.
One incident reportedly took place at the now vacant St Conal's Psychiatric Hospital in Letterkenny, Co Donegal, where a video was posted on TikTok in November last year. This video showed an individual rifling through boxes of patient records. The second breach is believed to have occurred at a facility in Dublin.
The DPC received notifications about these breaches from the HSE, which acknowledged the incidents and pledged full cooperation with the investigation. A spokesperson for the HSE stated, "The HSE takes all breaches of data protection seriously and manages all breaches of data protection in line with data protection legislation and HSE policy".
DPC Chair Des Hogan mentioned that while the investigation was initially triggered by the two breach notifications, the Commission now aims to expand the scope of the probe to "look wider".
The launch of this investigation coincides with the release of the DPC's 2023 annual report, highlighting a record year for fines, with penalties amounting to €1.55 billion. This includes a notable €1.2 billion fine imposed on Meta in May 2023 over data transfers from the EU to the US. Additionally, in September 2023, the DPC fined TikTok €345 million following an investigation into the processing of children's data. Both Meta and TikTok are appealing these rulings in the High Court.
In 2023, the DPC also saw its decisions to impose administrative fines on five different organisations, ranging from €15,000 to €750,000, upheld in the Dublin Circuit Court. All these fines have been collected and transferred to the Irish Exchequer.
Among other significant fines, the DPC penalised the Bank of Ireland €750,000 in February 2023 for a series of data breaches related to its Banking 365 app, and Centric Health €460,000 in January 2023 following a ransomware attack affecting patient data.
The DPC's annual report also indicates a significant increase in activity, with 11,200 new cases from individuals in 2023, a 20% rise from 2022. Additionally, the Commission received 6,991 valid breach notifications last year, marking a similar 20% increase.
We expect more to come from this wider investigation by the DPC.
