Updated 22:00
SENSITIVE INFORMATION ABOUT a young teenager, who was found in a distressed state outside the GPO recently, was accidentally sent to the owner of a business that has a similar domain name to the HSE, TheJournal.ie can reveal.
The email, sent by the Psychiatric Nurses Association (PNA), was supposed to be received by members of the trade union within the HSE. It requested assistance in identifying the girl and contained detailed information about her, as well as a photograph taken at the hospital.
The business in question has a name that closely resembles the HSE’s and so its owner and employees have email addresses similar to those working for the public health body.
Speaking to TheJournal.ie, the owner of the business said he found it “quite distressing” to receive the email, which gave specific details of the girl’s physical and mental wellbeing.
“I’m a father myself and I got this photo of a child sent to me – I don’t know what to do with this,” he said.
A spokesperson for the PNA said the union was asked by gardaí to contact members to ask if the child had ever been treated by them.
“Gardaí were looking for our assistance and we were in a good position to possibly help in that way,” they said.
However he said the intention was to send the email out to a “confidential list” of people.
Sensitive information
The business owner said this is not the first time he has received sensitive information that was meant for the HSE and that he has contacted them about it in the past.
“I got onto them to get them to stop it but they wanted us to set up a system to gather all their emails and send them onto them and then contact all the people individually who sent us things,” he explained. “I think that should be up to them”.
Commenting on the incident, a spokesperson for the Data Protection Commissioner said it is “the responsibility of the sender organisation to ensure, especially when dealing with sensitive personal data, that they have the correct contacts”.
They said that they would expect an organisation which has inadvertently disclosed sensitive personal data to notify the commissioner’s office once they are made aware of it.
“If the breach was on the sender’s part, then it would be a quality decision for the HSE if it wished to engage with that company,” they added.
In a statement, the HSE said: “As confirmed by the Data Protection Commissioner the responsibility of data protection is on the controller and sender of the information, in this case the sender of the information was not the HSE.
“Should any action be required on the part of the HSE by the DPC the HSE will cooperate fully.”
First published 6am
To embed this post, copy the code below on your site
have your say