X-ray report found in Penneys among HSE data breaches

Documents for 2015 report lost charts, wrong numbers dialled and files left on top of cars

In 2015, a patient’s X-ray report was found in a Penneys outlet. Photograph: Getty Images/Files

An X-ray report found in Penneys, a cancer patient's chart left on the roof of a car and a child's mental-health records accidentally faxed to Bank of Ireland were among Health Service Executive (HSE) data protection breaches in 2015.

There was a total of 113 breaches involving sensitive personal information held by the HSE that year, according to internal documents.

In April, a patient’s X-ray report with a sticker from another patient was discovered by staff in Penneys, Mullingar. The clothing store posted the report to one of the patients, who contacted the Citizens Information Centre for advice.

They subsequently sent the records back to Midland Regional Hospital in Mullingar, and an investigation began into the incident.


After the investigation, the staff were “reminded of their responsibilities under data protection legislation”, a HSE spokeswoman said.

Later that month, an incident report containing an allegation of abuse concerning an adult with an intellectual disability was “inadvertently posted” to a financial services company in Dublin, according to the documents.

A spokeswoman said the incident was reported to the Data Protection Commissioner and a meeting was held with the affected client. Staff were again reminded of their responsibilities.

In June, a healthcare assistant from St Luke’s Hospital in Dublin was accompanying a patient on a transfer to another hospital when he left the patient’ s chart on the roof of the car before driving away.

He realised the mistake only when he arrived at their destination. The chart was later retrieved from a member of the public who had picked it up.

The HSE responded by notifying the patient of the incident and reported the matter to the Data Protection Commissioner. The staff member was reminded of his responsibilities.

Wrong number

In August, a HSE employee attempted to send a fax to Temple Street Hospital containing sensitive information relating to a minor in the care of Child and Adolescent Mental Health Services (CAMHS) at Dara Linn Cherry Orchard Hospital.

They entered the wrong number and the details were instead faxed to Bank of Ireland.

In a similar case in October, a staff member at Midland Regional Hospital in Tullamore, Co Offaly, dialled the wrong number when trying to call a palliative care nurse.

The staff member left a voicemail containing sensitive clinical information about a patient. They then received a call back from a third party, asking why they had received the information.

In March 2015, a diary containing sensitive client information was misplaced by a community services worker in Sligo and later found on the roof of her car. However, a sealed envelope containing an assessment report that had been placed in the diary was not recovered.

In April, a nursing report book from Dublin North Mental Health Services was found by a gardener on the grounds of a hospital.

Last November, nine doctor’s letters were found scattered on the grounds of Our Lady’s Hospital in Navan.

Healthcare records relating to 102 children were lost from the Public Health Nursing section of Cherry Orchard Hospital last year, which required all affected individuals to be re-screened.

A spokeswoman for the HSE said that it takes its responsibility under data protection legislation very seriously. She said the outcomes in certain cases reported were not found to constitute a data protection breach following investigation.