The investigation will examine how the HSE stored sensitive personal data in paper documents at external storage facilities. The data watchdog has been notified of security breaches at two such buildings.
“The breaches reported to the DPC related to two specific locations accessed by unauthorized third parties, and the distribution of videos taken from these locations showing paper medical records,” a spokesperson for the privacy watchdog said.
Last November, a video on TikTok showed a large number of historic patient files at a disused hospital in Donegal. The records, including X-rays and medical notes, were located at the former St. Conal psychiatric hospital in Letterkenny. The person who shot the video claimed he entered the building through an unlocked door.
Last night the HSE confirmed it had just received notice of the start of an investigation from the DPC into two separate data breaches in 2023.
“We will cooperate fully with this investigation,” the report said. “The HSE takes all data protection breaches seriously and manages all breaches in accordance with data protection legislation and HSE policy.”
The DPC was first notified of a breach by the HSE late last year and has since been in contact with the health service.
Des Hogan, a commissioner at the DPC, said: “We were dealing with that and more information came to light, including videos circulating online of some of the material in these storage facilities. This has increased our concerns. We have decided [that] basis to launch an investigation, and we will look at all HSE storage facilities.”
The video shows dozens of boxes of confidential patient files at the old St. Conal psychiatric hospital in Letterkenny.
The DPC said it does not have precise information on how many patient records were affected by the data breach, but the number is “significant”, and it would be safe to say it is in “thousands”. It will be examined what level of security the healthcare system has to protect medical records.
Mr Hogan agreed that looking at all HSE storage facilities would be a huge job but would be done “one piece at a time”.
In its new annual report, the DPC says it made 19 final decisions last year, resulting in fines totaling €1.55 billion, as well as reprimands and compliance orders. The fines include €1.2 billion to Meta following a GDPR investigation into data transfers from the EU to America, and €345 million to TikTok following an investigation into the processing of personal data relating to children.
Last year, the DPC imposed fines on five organizations ranging from €15,000 to €750,000. The biggest was at Bank of Ireland due to data breaches on its 365 app. Centric Health was fined €460,000 after a ransomware attack compromised patient data on its system. About 70,000 patients were affected. 2,500 of them had their data deleted and no backup was available.
In total, the DPC received 11,200 new complaints from individuals last year. It has completed a total of 11,147 cases.