The Data Protection Commission (DPC) has handed down a €65,000 fine to Cork University Maternity Hospital (CUMH) after the personal data of 78 of its patients was discovered disposed of in a public recycling facility elsewhere in the county.
The complaint was first raised with the DPC in June 2019 after a member of the public, who had discovered the documents, brought the matter to the HSE’s attention.
The executive then reported the data breach to the DPC.
The breach, an infraction of the hospital’s responsibilities under the EU’s General Data Protection Regulation (GDPR) which is understood to have consisted of a large number of documents, equated to the personal data of 78 people and the special category personal data of six of them.
Special category data under GDPR is information of a particularly sensitive nature, the exposure of which could be expected to significantly impact the rights and freedoms of data subjects or could be potentially used against them in a discriminatory fashion.
It includes information regarding individuals’ race or ethnicity, religious beliefs, political opinions, biometric (identifiable) data, sexual orientation, and health data.
The breach at CUMH is believed to have comprised sensitive health data of patients, including medical histories and future planned programmes of care.
In its decision, handed down on August 18, the DPC said that the HSE had infringed Articles 5 and 32 of the GDPR by failing to “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its use and disposal of hardcopy documents containing patients’ personal data”.
Regardless of what individual disposed of the documents, the hospital, as data controller, would have been deemed responsible.
The DPC said it had applied an administrative fine of €65,000 on the HSE for its infringements. The ruling has not been appealed.
They said that all patients affected by the breach had been notified of it.
“The HSE takes all breaches of data protection seriously and all such cases are fully investigated to establish how they occurred and preventative measures are put in place to reduce the risk of such breaches happening again,” they said.
“This is in addition to a comprehensive training and development programme for staff in GDPR as well as a range of policies and procedures designed to protect personal data.”
The DPC also ordered the HSE to bring its systems for processing and disposing of patients’ information “into compliance” with GDPR standards and issued the executive with a formal reprimand regarding same.
The decision is just the fifth fine handed down by the DPC since GDPR came into force in May 2018. The other four were delivered to child and family agency Tusla.