Data breaches at CUH as ex-staff retain security access

Ex-hospital staff can still access sensitive patient data files because of serious IT security failures, while other computer problems have caused thousands of patient medical record mistakes.

The catalogue of errors is detailed in a major HSE internal audit report on Cork University Hospital.

The heavily redacted 63-page document, obtained under the Freedom of Information Act and available at irishexaminer.com, has warned of serious flaws in how patient information is stored and collated.

Detailing a series of encryption code failures, unauthorised access problems and medical history file errors that risk putting patients needlessly in danger, it said action needs to be taken immediately to address the data breaches.

According to the HSE audit, “unauthorised staff” are able to access “sensitive” patient details — including an unspecified number of individuals who have moved jobs — as their access rights have not been revoked.

Password problems, a lack of encryption on 25% of laptops examined, and a sub-standard level of “access controls” relating to child services are also raised by the audit team.

In addition, a string of errors in medical records has occurred due to simple filing mistakes — potentially putting members of the public at risk.

According to the audit team, one in three of the 22,000 files examined had various mistakes in their basic information, including slight discrepancies in the names, addresses, ages, and dates of birth of individual patients.

These errors, which investigators said were caused by unauthorised personnel accidentally putting in the wrong information, mean “key information may consequentially not be made available to medical staff” treating the patient at a later date, and “may lead to incorrect medical care”.

Hospital management said a number of the issues relate to wider HSE problems.

However, in a management note contained in the audit, CUH admitted: “There are a significant number of gaps in relation to the management and protection of sensitive data.”

The data breaches come in the wake of similar concerns in internal HSE audits in Jul 2011 in relation to foster care and in January last involving Waterford Regional Hospital.

Auditors found HSE files in car park

HSE auditors found highly sensitive files left on top of a Cork University Hospital car park ticket machine when they arrived to examine the facility’s data security. A footnote in the audit of the hospital revealed the situation which, considering the reason for the auditors’ arrival, could not have occurred at a worse time.

“While this is an ‘out-of-scope’ finding, the auditors are obliged to note and notify that a folder containing sensitive employee information was found on the machine for paying the parking tickets,” page five of the report stated.

Bizarrely, the audit later noted that the misplaced folder situation means staff need “training” on “information security” — presumably including how not to leave “sensitive” documents on the top of car park ticket machines.


Lifestyle

We know porridge is one of the best ways to start the day but being virtuous day in, day out can be boring.The Shape I'm In: Food blogger Indy Power

Sheila O’Flanagan can’t pin down an exact number of books she has written.First lady of fiction: Sheila O'Flanagan is happy to be accessible

This might not be the most entertaining topic but it is that time of year when colds, flus and nasty bugs enter classrooms and homes.Mum's the Word: Top tips for keeping nasty bugs and illnesses at bay

Laura Whalen is a Munster-based dollmaker and mother-of-five, and the founder of the Bábóg project, a community crafting drive to make a commemorative doll for all the babies born in Irish mother and baby homes.Made in Munster: Meet the West Cork dollmaker who uses bio-degradable materials for her craft

More From The Irish Examiner