HSE apologises for data breach which saw vulnerable children's details released

Last month, a parent applying for entry on the Children Disability Network Teams (CDNT) steering group was told by a HSE staff member, via email, to fill out an electronic application form.

However, rather than attaching the application form, the mail instead included a spreadsheet detailing each child and their families who had applied for the steering group at that time.

When the applicant informed the HSE worker of their mistake, they apologised and made a second attempt at delivering a digital application form only to attach an updated version of the spreadsheet previously sent, with additional records, detailing the children and their families who had applied.

'Gobsmacked'

Speaking to the Irish Examiner, the applicant, who is a parent of a child with a disability, described being “gobsmacked” by the casual nature of the breach.

"These children are vulnerable enough to begin with. If some sort of predator got their hands on this data somehow, it doesn’t even bear thinking about,” said the parent.

Responding to a query on this matter, a HSE spokesperson said the organisation is “sorry that this data breach has occurred”.

“The HSE takes all breaches of data protection seriously and all data breaches are fully investigated to establish how they occurred and preventative measures are put in place to reduce the risk of such breaches happening again,” they said.

CDNTs are interdisciplinary teams in the health service targeted at providing supports for children with complex needs, who heretofore had frequently fallen between the cracks in the system.

“I think the public needs to know about this breach because this steering group was supposed to rebuild trust between parents and the HSE," said the parent who received the information.

There is zero trust right now because the kids are stuck at the bottom of a barrel, they are completely marginalised.

"CDNT is something we’ve been asking for, for years. And this is what happened? I’m just furious, I really am, because I wanted to do something for my child. And it seems the powers that be simply don’t care.”

The breach detailed 21 families and their addresses, contact numbers, child’s gender, email address, CDNT, child’s age, and their specific disability. The families are located in counties across Ireland.

The parent, in alerting the HSE to its error, notified the data protection officers of each of the HSE’s eight regional organisations along with Health Minister Stephen Donnelly.

The HSE has since delivered the breach notification to the Data Protection Commission, as it is required to do by law.

“I’ve no interest in applying for the steering group now,” the parent said. “Because I don’t want my child’s data breached in the same way. To not even keep data like this in a secure file, something with a password, beggars belief.

“I asked that the board of directors of the HSE be notified of this also. I do think it’s an incredibly important thing and that they should know."