Confidential patient notes, operating theatre schedules, and minutes of meetings were repeatedly sent in error to a member of the public for six months — despite his efforts to highlight the issue.
The HSE apologised and said it was notifying the Data Protection Commissioner about the breach, which apparently occurred because the recipient of the emails, a Cork-based IT professional, has the same name as a consultant at Limerick University Hospital.
The recipient, who does not wish to be identified, said he made repeated attempts to highlight the fact that he was getting the emails to his personal email address, but continued to receive them from January to July.
He contacted a HSE IT email address on more than one occasion but never received a response, while calls to the telephone number repeatedly rang out.
He contacted the office of Leo Varadkar, the health minister, on July 24 to complain about the repeated data breaches and was told to make his complaint in writing, which he has now done.
The emails received to his personal Gmail account — which he says he typically checks just once or twice a week — began on January 5 and continued until July 24. They were sent by a number of different people, mostly health professionals attached to Limerick University Hospital, but instead of reaching a consultant, they were sent to him.
A sample of the correspondence, seen by the Irish Examiner, includes:
The IT professional said he replied to each email to inform the sender it had gone to the wrong address as he was concerned important information about patient care might not be getting to the consultant involved: “First of all I thought it might be one person with the wrong email details, but then I got them from multiple email addresses,” he said.
In one response issued to senders he wrote: “I would be grateful if someone within the HSE could investigate this and correct any records with incorrect contact information as soon as possible.”
However, despite acknowledgements and apologies from individual senders, all attempts to make contact with the relevant IT department failed: “No one got back to me. The situation is ridiculous. It hasn’t been for want of trying to resolve this. Obviously there are systematic errors and I can’t blame any one individual.”
In a statement, the UL Hospitals Group admitted the breach had occurred and apologised: “As with any data protection concern, the matter is being taken very seriously and will be investigated. We apologise to any individuals involved. The matter has been reported to the Data Protection Commissioner and it would be inappropriate for us to comment further at this time.”
Just last month it emerged that between April 2014 and the start of April this year, there had been more than 100 data protection breaches involving sensitive personal information held by the HSE.
© Irish Examiner Ltd. All rights reserved