A man who found sensitive patient data on a city centre street and who highlighted his concerns in the media has been accused by the HSE of a data breach.
Luke Field, who found data containing patient names and details of surgical procedures on the pavement of South Terrace, Cork City on Friday, April 26, attempted to report his find to the appropriate data protection officer in the HSE South the following day. However, the office was closed over the weekend.
He then contacted Cork University Hospital (CUH) as the data related to patients attending its plastic surgery department, and was advised by a staff member to return the data to reception in a sealed envelope, and that it would be processed after the weekend.
Mr Field, a Labour candidate for Cork City South Central in the upcoming local elections, said he held off on returning the data as he wanted to hand it back to someone “with direct data protection responsibility”. He decided to contact the media to highlight the delay he encountered when trying to report his find to the appropriate official, as there was no out-of-hours contact service.
However, the HSE said because Mr Field “voluntarily disclosed” the data to a third party — the Irish Examiner — this constituted “an unauthorised disclosure” of personal data and that Mr Field is now obliged to report his own disclosure “as a further data breach to the Data Protection Commissioner”.
The Irish Examiner contacted the Data Protection Commission (DPC) to inquire if a breach had occurred, as there is an exemption when processing personal data for the purpose of exercising the right to freedom of expression and information, including processing for journalistic purposes.
The commission said it “understands that there are data protection issues in relation to this, however we cannot comment further as we would need to examine the details in full”.
Mr Field said that as far as he is concerned, he doesn’t believe there is “any merit in the suggestion” that he has committed a data breach, but he is “happy to co-operate with the Data Protection Commission in their investigation of the HSE breach”.
He said he is “disappointed” with the HSE response “because the real story is that there have been two major HSE breaches in patient data in the space of a week [the other related to patients attending Our Lady of Lourdes Hospital, Drogheda] and this seems like an unfair attempt to divert attention away from that”.
The HSE said CUH is “taking the data breach very seriously and is currently investigating the incident”.
“The breach was reported to the Data Protection Commission and all data subjects will be contacted in line with HSE policy,” the statement said.
The statement also said the deputy data protection officer “was subsequently made aware that the data was shared with a third party (journalist), either prior to or after returning the data to the HSE”.
“The person who discovered the data and voluntarily disclosed it to the third party has been advised by the HSE that as this constitutes an unauthorised disclosure of the personal data, there is now an obligation on that person to report this as a further data breach to the Data Protection Commission”.