Documents with sensitive patient data identifying children and adults, details of surgical procedures, and reasons for missing appointments have been found on a busy city-centre street in Cork.
The highly personalised information relating to patients attending Cork University Hospital (CUH) for plastic surgery was discovered by Luke Field, a Labour Party local election candidate in Cork City South Central.
Children are readily identifiable because dates of birth are included, as well as references to different children’s wards at CUH, including Ladybird, Seahorse, and Puffin.
Details of procedures listed include “right eyebrow laceration repair”, “extensor [tendon] injury to left thumb”, “laceration left ear lobe”, and “debridement left lower leg [removal of dead tissue to promote wound healing] & VAC [vacuum assisted drainage] and removal of fibular plate”.
The data includes admission and discharge dates, the treating clinicians, and whether the patient is public or private.
Mr Field discovered the data on a printout lying on the ground as he returned to his home on South Terrace on the night of Friday, April 26.
“‘I was walking home with my partner and we spotted something near the apartment block that seemed to have people’s names and other information on it, so we picked it up and took it inside before it could be blown all over town by Storm Hannah,” Mr Field said.
He attempted to contact the data protection offer for the HSE South over the weekend, but the office was closed.
Mr Field then contacted CUH and was advised by a staff member to deliver it to hospital reception in a sealed envelope, where it would be followed up on Monday.
“I took the decision not to follow this advice as I wanted to hand it back to someone with direct data protection responsibility,” Mr Field said.
He returned the data to the HSE South consumer affairs officer on Tuesday morning.
Mr Field said he has extensive experience in relation to data protection protocol, “having dealt extensively with volunteer lists as deputy chair and canvassing officer of the Together for Yes campaign in Cork during last year’s referendum to Repeal the Eighth Amendment”.
He said either the HSE’s data protection protocols aren’t robust enough, “or staff aren’t being properly trained to implement them”.
He said HSE Consumer Affairs had reported the matter to the Data Protection Commission “but, as with most things in the health service, prevention is better than cure”.
“Senior management should really take responsibility for this, rather than hope it goes away or to blame individual staff members,” Mr Field said.
The Irish Examiner asked CUH if it could explain how patients’ details were found on the street in the city centre.
The HSE failed to respond to the query.
The CUH data breach follows on from another breach earlier this week in relation to sensitive data from Our Lady of Lourdes Hospital, Drogheda, as revealed by Mr Field’s Labour colleague Senator Ged Nash.