Skip to content
#Open journalism No news is bad news

Your contributions will help us continue to deliver the stories that are important to you

Support The Journal
Image: Shutterstock/Air Images

Two cases of patient records left on car roofs among 212 HSE data breaches

A medical device containing patients’ personal information was sent for repair to a company in the UK by Saolta University Hospital Group.
Apr 11th 2017, 9:02 AM 13,632 19

THE NUMBER OF data-protection breaches involving sensitive personal information held by the Health Service Executive (HSE) almost doubled to 212 last year, internal documents have revealed.

The incidents included two cases in which staff members left patients’ records on the roof of their cars before driving away, and one case in which Tusla files were found in an empty building during renovations.

In another data breach, a doctor attached to Mental Health Services in Wexford left confidential records relating to patients in an apartment that he had vacated. They were discovered by a new tenant and later returned to the HSE.

Medical device

Last April, the Data Protection Commissioner was actually a party to a breach that occurred at Midlands Regional Hospital Tullamore, when a patient’s data was accidentally faxed to the Commissioner’s office instead of the individual’s GP.

Later that month, a medical device containing patients’ personal information was sent for repair to a company in the UK by Saolta University Hospital Group.

Instead of the company returning the device, it was reconditioned and provided to an NHS hospital in Hull. The hospital’s IT department discovered that the device still contained the data and contacted the HSE.

In May 2016, a nursing report sheet and x-ray order sheet containing details relating to 27 patients was found misplaced in a building adjacent to University Hospital Limerick.

A month later, a large quantity of files relating to 27 more individuals including patient diagnoses was found on the ground across the road from the hospital. No explanation was offered by the HSE but the importance of data protection awareness was raised at a subsequent team meeting for staff of the relevant department.


90132981_90132981 Source: Sasko Lazarov/Photocall Ireland

Three separate incidents in which sensitive patient documents were lost or found in the vicinity of hospital grounds occurred during February and March 2016 at Our Lady of Lourdes Hospital in Drogheda.

In February, wind scattered documents being carried by a staff member between buildings at the hospital. Two pages of a completed service application form were never recovered.

Later that month, a handwritten note containing a patient’s personal details was found in a waiting room; and in March, a document containing information relating to 13 patients was found “in the vicinity of the hospital grounds”.

In October, files belonging to Tusla, the Child and Family Agency, were found by HIQA in an empty building that was in the process of being renovated for use by the charity, Rehab.

The HSE said that the records could not have been accessed by members of the public, and a review of the incident was undertaken with the aim of ensuring that the same mistake does not happen again.

Two incidents occurred last year in which patient records were left on the roof of a car by a HSE staff member before they drove away. The same scenario also occurred twice in 2015.

The first of these incidents happened in April 2016, when an employee at Abbeyfeale Health Centre in Limerick left files on top of their car and drove away. The files were returned by a member of the public the next day.

In October, a HSE staff member working in pensions management placed a file on the roof of their vehicle before leaving a carpark. They later returned and recovered the file but two pages relating to one individual was missing.

Other data-protection breaches occurred when a health worker left a client’s records in another client’s house; when a PC was stolen during a break-in at an addiction services clinic; and when documents relating to patients of Sligo University Hospital were discovered in a bin in Dublin.

The details of 212 data-protection incidents were contained in records released by the HSE under the Freedom of Information Act. In 2015, the number of data-protection incidents reported by the HSE was 113.

Read: Ed Sheeran settles $20 million plagiarism suit over his song Photograph

Send a tip to the author

Darragh McDonagh


    Back to top