Data breaches at CUH as ex-staff retain security access
The catalogue of errors is detailed in a major HSE internal audit report on Cork University Hospital.
The heavily redacted 63-page document, obtained under the Freedom of Information Act and available at irishexaminer.com, has warned of serious flaws in how patient information is stored and collated.
Detailing a series of encryption code failures, unauthorised access problems and medical history file errors that risk putting patients needlessly in danger, it said action needs to be taken immediately to address the data breaches.
According to the HSE audit, “unauthorised staff” are able to access “sensitive” patient details — including an unspecified number of individuals who have moved jobs — as their access rights have not been revoked.
Password problems, a lack of encryption on 25% of laptops examined, and a sub-standard level of “access controls” relating to child services are also raised by the audit team.
In addition, a string of errors in medical records has occurred due to simple filing mistakes — potentially putting members of the public at risk.
According to the audit team, one in three of the 22,000 files examined had various mistakes in their basic information, including slight discrepancies in the names, addresses, ages, and dates of birth of individual patients.
These errors, which investigators said were caused by unauthorised personnel accidentally putting in the wrong information, mean “key information may consequentially not be made available to medical staff” treating the patient at a later date, and “may lead to incorrect medical care”.
Hospital management said a number of the issues relate to wider HSE problems.
However, in a management note contained in the audit, CUH admitted: “There are a significant number of gaps in relation to the management and protection of sensitive data.”
The data breaches come in the wake of similar concerns in internal HSE audits in Jul 2011 in relation to foster care and in January last involving Waterford Regional Hospital.
HSE auditors found highly sensitive files left on top of a Cork University Hospital car park ticket machine when they arrived to examine the facility’s data security. A footnote in the audit of the hospital revealed the situation which, considering the reason for the auditors’ arrival, could not have occurred at a worse time.
“While this is an ‘out-of-scope’ finding, the auditors are obliged to note and notify that a folder containing sensitive employee information was found on the machine for paying the parking tickets,” page five of the report stated.
Bizarrely, the audit later noted that the misplaced folder situation means staff need “training” on “information security” — presumably including how not to leave “sensitive” documents on the top of car park ticket machines.
