HSE data breaches: Misplaced patient records discovered in pub, lost medical files turned up on bus
Misplaced patient records from Letterkenny University Hospital were found in a pub last year, while lost medical files containing personal data turned up on a bus in Waterford.
These were among 465 data protection breaches involving sensitive personal information held by the HSE between January 2018 and May this year, internal documents have revealed.
In one case, a patient's medical file was found in a public toilet in Roscommon last July, and records relating to patients of St Luke's General Hospital in Kilkenny were found in a bag donated to a local charity shop last February.
The breaches have been described as "serious incidents" by a patient advocacy group, which criticised the "careless custody" of individuals' private medical records by the HSE.
Patient files from Our Lady of Lourdes Hospital in Drogheda were found outside the facility by members of the public on four occasions at locations including a garden and a nearby walkway.
In Roscommon, a data protection breach was reported by the area's mental health services last year after personnel records covering a five-year period were lost and not recovered.
A number of breaches also occurred when images of patients were uploaded on social media without their consent. These included one incident last December, when a staff member at Galway Mental Health Services accidentally posted a picture of a client on Facebook.
Last February, mental health service records containing personal data were found during the excavation of a site in Kilkenny, while a list of patients was discovered in a bag of rubbish that was illegally dumped in Letterkenny in March 2018.
At University Hospital Galway, a patient's CT scan was accidentally included in records released to a third party in response to a Freedom of Information request, while University Hospital Waterford mistakenly attached a patient's prescription to unrelated records pertaining to another FoI request.
Last November, a data protection breach was recorded at Connolly Hospital in Dublin when the wrong ID wristband was put on the wrong patient. However, this mistake was only discovered after they had been discharged.
"A patient's right to privacy and confidentiality should not be violated by careless custody of their records," said Stephen McMahon of the Irish Patients' Association.
He said that, while "it's not a witch hunt", individuals responsible for data protection breaches should be identified, and there should be full disclosure to the patients or families affected.
A total of 277 data protection breaches were recorded by the HSE in 2017. A spokesperson for the health authority said an increase in the number of recorded incidents may be attributable to the enactment of the new General Data Protection Regulation in May 2018.
"The HSE takes all breaches of data protection seriously and all such cases are fully investigated to establish how they occurred," said the spokesperson.
She added that after breaches are investigated, preventative measures are put in place to reduce the risk of them happening again.