University Hospital Limerick (UHL) is in the process of sending letters to more than 600 patients following an alleged major data breach concerning patient details, including those of 95 children, which was then posted on social media.
Gardaí have been informed of the alleged breach by a non-HSE employee.
It is alleged that patient data, including the patients’ names, dates of birth, as well as medicines dispensed, was extracted from a computer system relating to patients who attended at the Emergency Department at UHL last April.
“We are writing to 630 patients concerning a breach of patient data at University Hospital Limerick. This relates to patients who attended the Emergency Department at UHL between April 18th and April 22nd last,” a UHL spokesman confirmed.
“The data in question was extracted from an automated system used in the ED to dispense medication safely. It was extracted, without HSE knowledge or approval, by an employee of a company which was then supporting this system; and not by any employee of the HSE.”
“This information was published online in the form of a file linked from a Twitter account. This file contained personal data which included patients’ names, date of birth and the names of medications dispensed while they were in the ED.”
The spokesman added “the medications were for the most part those you would expect to be dispensed in an emergency department (i.e painkillers and antibiotics)”.
The hospital became aware of the alleged breach on May 29th.
“Immediate actions were taken by the HSE and by UL Hospitals Group to protect patient data. Twitter blocked the link to the data and disabled the account in question,” the spokesman explained.
Gardaí and the Data Protection Commission were also immediately notified and the HSE obtained a High Court Order on June 5th last “restraining the individual concerned from communicating confidential information”.
The UHL spokesman said the hospital was “only now writing to patients as it has taken some time for UL Hospitals Group and the HSE to understand the nature and extent of the breach”.
“We believe that the data has not been widely shared and that the manner in which it was published online (an .SQL file) would have taken a degree of technical knowledge to rebuild and make sense of.”
The spokesman said that while the hospital “have to date received no inquiries from any party who has accessed patient details online” they were in the process of advising the 630 patients “that there remains a residual risk of future unauthorised disclosure, in spite of the High Court injunction that remains in place to restrain the individual from further sharing data”.
“Where the patients concerned are children, we are writing to their parents or guardians. Of the 630 patients involved, 95 are children,” the spokesman confirmed.
UHL has “apologised” to patients involved “for any distress this will cause” and is including details of a helpline in the letters sent to the patients.
“Patients who have not received a letter from us are unaffected by this data breach and are kindly requested not to phone the helpline,” the spokesman said.
The UL Hospitals Group has convened “a Serious Incident Management team (SIMT) to investigate this incident, and take any necessary actions to further secure patient data”.
UL Hospitals Group explained that it “had all the necessary data processing arrangements in place with the third party processor to protect the security of the data which was being processed”.
“A data processing agreement” and “a data sharing agreement” was in place between the HSE and the company as well as “a confidentiality agreement”, the Group said.
“Unfortunately this event was caused by an intentional act by one individual.”
It added that in order to “protect patient data” the “HSE Chief Information Officer worked closely with the third party company and reported the breach to An Garda Síochána”.
“A High Court order was put in place restraining the defendant and any person to whom the defendant has communicated or may communicate “the Confidential Information” from disseminating, publishing, communicating by any means whatsoever or otherwise making any use of the Confidential Information or any part thereof for any purpose whether through the use of the specific Twitter handles, email addresses or otherwise.”
“The High Court order directed the defendant to return all documents, records and devices containing the Confidential Information and/or to submit such devices for forensic analysis records. All property was returned on 5th June.”
“All passwords were changed immediately, and the company is no longer managing the automated system in question”.
“A new company have taken over sales and service of the system in Ireland.”