Patient records left on car roof and scattered in hospital grounds in data breaches by HSE

The number of data-protection breaches involving sensitive personal information held by the HSE almost doubled to 212 in 2016. (Stock image)

Darragh McDonagh

Patient records were accidentally left on the roof of HSE staff cars or found scattered in hospital grounds, internal documents have revealed.

These were just some of a litany of data protection breaches recorded by the Health Service Executive (HSE) last year.

The number of data-protection breaches involving sensitive personal information held by the HSE almost doubled to 212 in 2016.

The incidents included two cases in which staff members left patients' records on the roof of their cars before driving away and in another data breach, a doctor left confidential records relating to patients in an apartment that he had vacated. They were discovered by a new tenant and later returned to the HSE.

Three separate incidents in which sensitive patient documents were lost or found in the vicinity of hospital grounds occurred during February and March 2016 at Our Lady of Lourdes Hospital in Drogheda.

In February, wind scattered documents being carried by a staff member between buildings at the hospital. Two pages were never recovered.

Later that month, a handwritten note containing a patient's personal details was found in a waiting room; and in March, a document containing information relating to 13 patients was found "in the vicinity of the hospital grounds".

In October, files belonging to Tusla, the Child and Family Agency, were found by Hiqa in an empty building that was in the process of being renovated for use by the charity Rehab.

The HSE said that the records could not have been accessed by members of the public, and a review of the incident was undertaken with the aim of ensuring that the same mistake does not happen again.

Last April, the Data Protection Commissioner was actually a party to a breach at Midlands Regional Hospital Tullamore, when a patient's data was accidentally faxed to the Commissioner's office instead of the individual's GP.

Later that month, a device containing patients' personal information was sent for repair to a company in the UK by Saolta University Hospital Group. Instead of the company returning the device, it was reconditioned and provided to an NHS hospital in Hull. The hospital's IT department discovered the device still contained data and contacted the HSE.

In May 2016, a nursing report sheet and X-ray order sheet containing details relating to 27 patients was found misplaced in a building adjacent to University Hospital Limerick.

A month later, a large quantity of files relating to 27 more individuals including patient diagnoses was found on the ground across the road from the hospital. No explanation was offered by the HSE but the importance of data protection awareness was raised at a subsequent team meeting.

The details of 212 data-protection incidents were released under the Freedom of Information Act. In 2015, the number of data-protection incidents reported by the HSE was 113.