Tallaght hospital has asked An Garda Síochána to assist it in determining how sensitive patient information got into inappropriate hands, the hospital has confirmed.
Since 2004 the west Dublin hospital had been using a private firm to transcribe some medical reports and letters for GPs. This firm, in turn, was sending the material to its offices in the Philippines for transcription.
The hospital said it was now evident that information had been subject to unauthorised access and disclosure.
In a statement, the hospital’s acting chief executive, John O’Connell, said it had been working closely with the National Bureau of Investigations in the Philippines and the UK Information Commissioner.
“The IT director of the hospital has been in the Philippines over the last week to assist their legal authorities. Also, I have been working closely with the Data Protection Commissioner over the last two weeks,” Mr O’Connell said.
He said Tallaght hospital had been using the transcription service Uscribe, based in the Philippines, but terminated this contract in May of this year.
“Upon taking up my position in July 2010, I instructed that the transcription service be evaluated This resulted in the hospital changing service provider and putting in place new policies and procedures.”
The chief executive said it had always been the case that all material for transcription was encrypted and that this practice “has always been followed”.
“Since 2010, it has also been the policy of the hospital that no patient identifiers should be used; regrettably, this policy has not always been followed in practice.
“Some letters were dictated which did not come back transcribed. While it was the policy of the hospital to keep information sheets for each letter, this practice was not followed universally,” Mr O’Connell said.
“On the termination of the contract with the dictation service, the hospital continues to ensure that all data is being returned and hospital staff have been processing uncompleted correspondence.”
Mr O’Connell said it was a “very serious matter” that the hospital was determined to resolve thoroughly and as quickly as possible. The board of the hospital and the HSE have been kept informed, he added.
Deputy data protection commissioner Gary Davis said the hospital was treating the matter very seriously and had reported it to his office.
He said the precise arrangements for how the patient data had been dealt with in the Philippines was in doubt and it appeared it had fallen into the wrong hands.
He noted one Sunday newspaper had received information from a third party. Mr Davis said the compromised records "may be in a relatively contained space" but that his office was seeking clarity on this.
It was important to reassure patients that the records were dictated notes of consultations with doctors and not their complete medical records.
Speaking on RTÉ's News at One, Mr Davis said people wanted to know that when they talk to their doctors about sensitive health information that it was not going to find its way to third parties "who perhaps don't care about confidentiality".
He said there was no bar on a hospital using a third party to process such data. "It just has to put in place very stringent due diligence procedures and contracts and undertakings with them."
This was permissible under the Data Protection Acts.
"Obviously something has gone seriously wrong in this case and we are following that up with Tallaght," Mr Davis added.
His office had checked with the HSE to see if it were aware of any further use of any such services. Mr Davis said the HSE had responded that it was not using any such service as far as it was aware.
Mr Davis said there was a general issue that where third parties were used for such services there was "a need to be sure that they are vetting these people and that they are doing what they say they are doing".
While he could not comment specifically on what had happened between Tallaght and the third party in this case, his office saw such issues on "an ongoing basis".
In such cases, people were entering into commercial relationships and "don’t properly ask the sort of questions they should ask. That’s possibly what had happened in this incident".
Minister for Health James Reilly called on the hospital to provide information to concerned patients and said he had asked the HSE to establish if any of its hospitals was similarly affected.
Labour TD for Dublin Mid-West Robert Dowds said he would meet the acting chief executive of the hospital tomorrow to discuss the issue. He urged health service providers to put an end to outsourcing the transcription of sensitive medical records to other countries.
“After numerous questions to the HSE on the subject which received evasive answers, Tallaght hospital finally confirmed that there was a breach of its patient data protection guidelines, something which had previously been denied,” Mr Dowds said.
He said the hospital and the HSE had not been “upfront” about the matter.
Mr Dowds said if the matter was not resolved “in a prompt and satisfactory manner”, he would seek to raise it before the Oireachtas health committee.