Major data breach at Limerick hospital under investigation

It’s alleged the patient data, including patient names, dates of birth, and medicines dispensed, was extracted from a computer system relating to patients who attended at the emergency department (ED) at UHL last April.

“We are writing to 630 patients concerning a breach of patient data at University Hospital Limerick. This relates to patients who attended the Emergency Department at UHL between April 18 and April 22 last,” said a UHL spokesman, who confirmed 95 of the people affected are children.

“The data in question was extracted from an automated system used in the ED to dispense medication safely. It was extracted, without HSE knowledge or approval, by an employee of a company which was then supporting this system; and not by any employee of the HSE.

This information was published online in the form of a file linked from a Twitter account. This file contained personal data which included patients’ names, date of birth and the names of medications dispensed while they were in the ED.

The spokesman added “the medications were for the most part those you would expect to be dispensed in an emergency department (i.e painkillers and antibiotics)”.

The hospital became aware of the alleged breach on May 29.

“Immediate actions were taken by the HSE and by UL Hospitals Group to protect patient data. Twitter blocked the link to the data and disabled the account in question,” the spokesman explained.

Gardaí and the Data Protection Commission were also immediately notified and the HSE obtained a High Court Order on June 5 “restraining the individual concerned from communicating confidential information”.

The UHL spokesman said the hospital was “only now writing to patients as it has taken some time for UL Hospitals Group and the HSE to understand the nature and extent of the breach”.

They believe the data "has not been widely shared" due to the type of file which was posted online, which would have "taken a degree of technical knowledge to rebuild and make sense of". 

The spokesman said that while the hospital “have to date received no inquiries from any party who has accessed patient details online” they were in the process of advising the 630 patients “that there remains a residual risk of future unauthorised disclosure, in spite of the High Court injunction that remains in place to restrain the individual from further sharing data”.

UHL has “apologised” to patients involved “for any distress this will cause” and is including details of a helpline in the letters sent to the patients.

According to a report in the Limerick Leader the data breach involved a “rogue non-HSE employee”.

UL Hospitals Group explained it “had all the necessary data processing arrangements in place with the third party processor to protect the security of the data which was being processed”.

“A data processing agreement” and “a data sharing agreement” was in place between the HSE and the company as well as “a confidentiality agreement”, the Group said.

“Unfortunately this event was caused by an intentional act by one individual.”