Patient data leak not confined to Tallaght hospital, says chief

 

THE SCOPE of a data breach involving confidential patient information is much wider than just Tallaght hospital in Dublin, the hospital’s acting chief executive has indicated.

The hospital yesterday admitted there had been “unauthorised access and disclosure” of material sent to the Philippines for transcription.

Its arrangement with Irish-based company Uscribe, which sent the material to its office in the Philippines, has been terminated and the hospital is now using another provider.

While the Health Service Executive has indicated it does not outsource such transcription services, it is understood that some consultants have entered private arrangements with the transcription company.

The data in question comprises records of individual patient consultations with doctors and not full medical records. It appears, however, that at least in some cases information identifying patients has been compromised.

The hospital confirmed it had asked the Garda to assist in determining how the sensitive patient data fell into “inappropriate hands”.

Last month RTÉ reported the hospital had alerted the Data Protection Commissioner of a potential breach. But the hospital responded that it had informed the commissioner of an “unsubstantiated allegation” that information was leaked.

In a letter to consultants dated July 30th, acting chief executive John O’Connell said the hospital was seeking the assistance of the National Bureau of Investigations in the Philippines and also the UK Information Commissioner.

He said that upon taking up the position he had instructed that the transcription service be evaluated.

“This resulted in the hospital changing service provider and putting in place new policies and procedures. It has always been the case that all material for transcription be encrypted and this practice has always been followed.

“Since 2010, it has also been the policy of the hospital that no patient identifiers should be used; regrettably, this policy has not always been followed in practice.”

A Sunday newspaper has obtained patient-identifying information dating to 2008, Mr O’Connell said in the letter. “All clinicians that use Uscribe in AMNCH [Tallaght] or privately must assume that some information on patients is available to the journalist.”

Mr O’Connell’s letter to the consultants concludes: “I have briefed the clinical directors, the board of management and other relevant parties, while the scope is much larger than AMNCH; we anticipate we will receive considerable attention as a result.”

Deputy data protection commissioner Gary Davis said the hospital was taking the matter seriously and noted it had sent its IT manager to the Philippines to liaise with the company.

The Data Protection Commissioner’s office will meet the hospital’s chief executive today.

Mr Davis said there was no bar on a hospital using a third party to process such data. “It just has to put in place very stringent due diligence procedures and contracts and undertakings with them.”

Minister for Health James Reilly called on the hospital to provide information to concerned patients and said he had asked the HSE to establish if any of its hospitals was similarly affected.

Uscribe in Dublin did not respond to a request for comment.