CATERING staff were able to access confidential patient information held on a €60m HSE record system which is being rolled out across the country.
Workers in Kerry General Hospital were able to access information including the patient's name, address, admission and discharge date, doctor information and clinical data, an internal audit of the system last year found.
And the audit warned of five "high-level" security risks in the Integrated Patient Management System (IPMS) which is used by ten acute hospitals and 20 HSE centres.
No clinical data had been uploaded on to the system at the time of the breach.
Fine Gael health spokesman Dr James Reilly last night said that unless doctors and patients were confident that information would remain confidential, they would not co-operate.
"IT and the further development of it in the health service is critical, but patient confidentialty has to be of the utmost importance," he said.
"If catering staff could get at it, insurers could get at it. It has been unsatisfactory, the way IT has been rolled out."
This is the second time that the HSE has had problems rolling-out new computer systems.
The €9m PPARS (personnel, payroll and related system) was supposed to provide detailed information on 136,000 staff and draw up rosters, but is only capable of paying 30,000 staff.
The audit of the IPMS programme, released to a Sunday newspaper under the Freedom of Information Act, said that catering staff in Kerry had access codes to the system which allowed them read confidential patient files.
The HSE said the internal audit was carried out in two hospitals in the south and west regions in the first half of last year to identify issues with the system.
The problems arose because staff were not using the system correctly. "There were issues at a local level that could be rectified, for example tightening up of procedures," a spokeswoman said.
Only "appropriate authorised personnel" could now use it, she added.