Finder of patient details accused by HSE of data breach
A man who found sensitive patient data on a city centre street and who highlighted his concerns in the media has been accused by the HSE of a data breach.
Luke Field, who found data containing patient names and details of surgical procedures on the pavement of South Terrace, Cork City on Friday, April 26, attempted to report his find to the appropriate data protection officer in the HSE South the following day. However, the office was closed over the weekend.
He then contacted Cork University Hospital (CUH) as the data related to patients attending its plastic surgery department, and was advised by a staff member to return the data to reception in a sealed envelope, and that it would be processed after the weekend.
Mr Field, a Labour candidate for Cork City South Central in the upcoming local elections, said he held off on returning the data as he wanted to hand it back to someone âwith direct data protection responsibilityâ. He decided to contact the media to highlight the delay he encountered when trying to report his find to the appropriate official, as there was no out-of-hours contact service.
However, the HSE said because Mr Field âvoluntarily disclosedâ the data to a third party â the Irish Examiner â this constituted âan unauthorised disclosureâ of personal data and that Mr Field is now obliged to report his own disclosure âas a further data breach to the Data Protection Commissionerâ.
The Irish Examiner contacted the Data Protection Commission (DPC) to inquire if a breach had occurred, as there is an exemption when processing personal data for the purpose of exercising the right to freedom of expression and information, including processing for journalistic purposes.
The commission said it âunderstands that there are data protection issues in relation to this, however we cannot comment further as we would need to examine the details in fullâ.
Mr Field said that as far as he is concerned, he doesnât believe there is âany merit in the suggestionâ that he has committed a data breach, but he is âhappy to co-operate with the Data Protection Commission in their investigation of the HSE breachâ.
He said he is âdisappointedâ with the HSE response âbecause the real story is that there have been two major HSE breaches in patient data in the space of a week [the other related to patients attending Our Lady of Lourdes Hospital, Drogheda] and this seems like an unfair attempt to divert attention away from thatâ.
The HSE said CUH is âtaking the data breach very seriously and is currently investigating the incidentâ.
âThe breach was reported to the Data Protection Commission and all data subjects will be contacted in line with HSE policy,â the statement said.
The statement also said the deputy data protection officer âwas subsequently made aware that the data was shared with a third party (journalist), either prior to or after returning the data to the HSEâ.
âThe person who discovered the data and voluntarily disclosed it to the third party has been advised by the HSE that as this constitutes an unauthorised disclosure of the personal data, there is now an obligation on that person to report this as a further data breach to the Data Protection Commissionâ.
CONNECT WITH US TODAY
Be the first to know the latest news and updates
