Misplaced patient records from Letterkenny University Hospital were found in a pub last year, while lost medical files containing personal data turned up on a bus in Waterford.
These were among 465 data protection breaches involving sensitive personal information held by the Health Service Executive (HSE) between January 2018 and May 2019, internal documents have revealed.
Elsewhere, a patient’s medical file was found in a public toilet in Roscommon in July 2018; and records relating to patients of St Luke’s General Hospital in Kilkenny were found in a bag donated to a local charity shop last February.
The breaches have been described as “serious incidents” by a patient advocacy group, which criticised the “careless custody” of individuals’ private medical records by the HSE.
Patient files from Our Lady of Lourdes Hospital in Drogheda were found outside the facility by members of the public on four occasions at locations including a garden and a nearby walkway.
In Roscommon, a data protection breach was reported by the area’s mental health services last year after personnel records covering a five-year period were lost and never recovered.
A number of breaches occurred when photos or videos of patients were uploaded on social media without their consent. These included one incident last December, when a staff member at Galway Mental Health Services accidentally posted a picture of a client on Facebook.
Last February, mental health services records containing personal data were found during the excavation of a site in Kilkenny; while a list of patients was discovered in a bag of rubbish that was illegally dumped in Letterkenny in March 2018.
At University Hospital Galway (UHG), a patient’s CT scan was accidentally included in records released to a third party in response to a Freedom of Information request, while University Hospital Waterford (UHW) mistakenly attached a patient’s prescription to unrelated records pertaining to another FOI request.
Last November, a data protection breach was recorded at Connolly Hospital in Dublin when the wrong ID wristband was put on the wrong patient. However, this mistake was only discovered after they had been discharged.
“A patient’s right to privacy and confidentiality should not be violated by careless custody of their records,” said Stephen McMahon of the Irish Patients Association.
He said that while “it’s not a witch hunt,” individuals responsible for data protection breaches should be identified, and there should be full disclosure to the patients or families affected.
There were a total of 277 data protection breaches recorded by the HSE in 2017. A spokesperson for the health authority said an increase in the number of such incidents may be attributable to the enactment of the new General Data Protection Regulation (GDPR) in May 2018.
“The HSE takes all breaches of data protection seriously and all such cases are fully investigated to establish how they occurred,” she said.
“After we investigate breaches… we put preventative measures in place to reduce the risk of such breaches happening again.”
