The incidents included two cases in which staff members left patients’ records on the roof of their cars before driving away, and one case in which Tusla files were found in an empty building during renovations.
In another data breach, a doctor attached to Mental Health Services in Wexford left confidential records relating to patients in an apartment he had vacated. They were discovered by a new tenant and later returned to the HSE.
Last April, the data protection commissioner was actually a party to a breach that occurred at Midlands Regional Hospital Tullamore, when a patient’s data was accidentally faxed to the commissioner’s office instead of the individual’s GP.
Later that month, a medical device containing patients’ personal information was sent for repair to a company in the UK by Saolta University Hospital Group.
Instead of the company returning the device, it was reconditioned and provided to an NHS hospital in Hull. The hospital’s IT department discovered that the device still contained the data and contacted the HSE.
In May 2016, a nursing report sheet and X-ray order sheet containing details relating to 27 patients was found misplaced in a building adjacent to University Hospital Limerick.
A month later, a large quantity of files relating to 27 more individuals including patient diagnoses was found on the ground across the road from the hospital. No explanation was offered by the HSE but the importance of data protection awareness was raised at a subsequent team meeting for staff of the relevant department.
Three separate incidents in which sensitive patient documents were lost or found in the vicinity of hospital grounds occurred during February and March 2016 at Our Lady of Lourdes Hospital in Drogheda.
In February, wind scattered documents being carried by a staff member between buildings at the hospital. Two pages of a completed service application form were never recovered.
Later that month, a handwritten note containing a patient’s personal details was found in a waiting room; and in March, a document containing information relating to 13 patients was found “in the vicinity of the hospital grounds”.
In October, files belonging to Tusla, the Child and Family Agency, were found by Hiqa in an empty building that was in the process of being renovated for use by the charity, Rehab.
The HSE said the records could not have been accessed by members of the public, and a review of the incident was undertaken with the aim of ensuring the same mistake does not happen again.
Two incidents occurred last year in which patient records were left on the roof of a car by a HSE staff member before they drove away. The same scenario also occurred twice in 2015.
The first of these incidents happened in April 2016, when an employee at Abbeyfeale Health Centre in Limerick left files on top of their car and drove away. The files were returned by a member of the public the next day.
In October, a HSE staff member working in pensions management placed a file on the roof of their vehicle before leaving a car park. They later returned and recovered the file but two pages relating to one individual was missing.
The details of 212 data protection incidents were contained in records released by the HSE under the Freedom of Information Act. In 2015, the number of data protection incidents reported by the HSE was 113.