Hospital medical notes on multiple patients found in housing estate garden
Medical notes on 10 patients who were being treated at Our Lady of Lourdes Hospital in Drogheda, county Louth, have been found in a housing estate.
The apparent data breach was brought to the attention of Drogheda Senator Ged Nash who has called for an urgent investigation.
The information found referenced 10 patients, male and female, and they ranged in age from 36 to 90.
The details also indicate they were all patients on a particular ward in the hospital last month (April).
The 5 sheets of paper with the list of their personal information on were found in the front garden of a housing estate that is about a 10 minute walk from the hospital.
Their dates of birth, family situations and medical conditions and treatments were all detailed on the sheets which appeared to be information to be passed from one medical professional to another.
The woman who found the sheets of paper was in contact with Senator Nash who advised her to contact the hospital and arranged to have the information returned to the hospital.
Senator Nash said, ‘This is completely unacceptable and hospital management must report this egregious compromising of private and deeply sensitive personal information to the Data Protection Commissioner.’
‘Some very elderly and vulnerable patients have had the most personal and confidential information imaginable about their health situation strewn in a suburban housing estate for all to see.’
He said the patients concerned ‘should all be contacted without delay to advise them of this breach.’
He is calling for ‘an urgent investigation must take place and confidence in data management at the Lourdes must be restored. That confidence has been tested yet again.’
He also acknowledged that the information was found by a civic minded person ‘who on my advice contacted the hospital immediately and arranged to have the information returned.’
The hospital has been asked to respond.
The Data Protection Commission has not made aware of any issue but under Article 33 of the GDPR there is a 72 hour period after a breach for it to be reported.
Article 33 says, ‘In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.’