Revealed: 1,400 data breaches at HSE included patient photos and medical files

Revealed: 1,400 data breaches at HSE included patient photos and medical files

THE HSE has suffered almost 1,400 separate data breaches over the past two years.

THE HSE has suffered almost 1,400 separate data breaches over the past two years involving photographing of patients, infection status being disclosed to other family members, and the discovery of confidential medical files in public places.

The number of breaches showed a sharp rise between 2018, when 556 incidents were recorded, and last year when there were 833.

Across the country, there were 1,389 data breaches reported, with over a third of them recorded in the Dublin North East HSE region.

In the West, an incident at Sligo University Hospital involved “a HSE staff member [who] took a screenshot from a security screen of a patient in A&E”.

In another case, an anonymous letter was received by Older People’s Services including six nursing handover records. 

The records had – according to the letter – been found in the local town.

In Letterkenny Hospital, doctors notes containing personal and health data were found by staff at the doors of the old emergency department while in another incident, a maternity patient found someone else’s records in her file.

The same hospital was at the centre of another incident where a CCTV image was released in response to an FOI request. However, the faces of staff had not been pixelated and the footage ended up on YouTube.

In another instance, a breach was reported after an agency staff member contacted a radio station to play a request for clients, with the DJ reading out their names and townland.

In the HSE South area, a breach was reported when a patient’s infection status was visible on the outside of their medical records and seen by a family member.

In another case, patient information was sent to somebody else’s solicitor.

In one case, a receptionist sent pictures records to her manager by using her mobile phone. File image
In one case, a receptionist sent pictures records to her manager by using her mobile phone. File image

The region also reported a breach in the Carlow area where a number of files from community service were “considered missing or lost”.

In the Dublin North East HSE region – where the largest number of incidents were reported – breaches included numerous incidents where emails were sent to the incorrect recipient.

In one breach, a manager left sensitive documents at a reception area. The receptionist located them but took a picture of the records with their mobile phone and forwarded them to her manager. This was described as the “incorrect action”.

In the Dublin Mid Leinster region, a notebook containing details of an inspection was lost on a train service and not recovered.

At St Luke’s Hospital in Kilkenny, a patient list was found by staff in the grounds while at the same hospital a discharged patient was given their own medication and somebody else’s.

Four incidents where medical images or reports were sent to the wrong GP attached to prisons in the Midlands were also reported at a number of hospitals.

In another breach, a social care team attended the wrong address for home visits and “disclosed a child’s name and address”.

A USB key which was unencrypted was also reported to have been left unattended at a HSE site by addiction services.

A statement from the HSE said that all breaches were dealt with in line with data protection legislation and their own policy.

“The HSE takes all breaches of data protection seriously and all such cases are fully investigated to establish how they occurred and preventative measures are put in place to reduce the risk of such breaches happening again,” they said.

“Such preventative measures include further staff training focusing on the root cause of data breaches, revision of guidance documents based on learning from incidents and raising the awareness of the importance of data protection through staff communication channels.”

More in this section