A patient’s medical file was found in a public toilet at Roscommon University Hospital (RUH), while five years of personnel files relating to the local mental health service were lost and never recovered.
These were among 82 data protection breaches reported by Saolta University Health Care Group and regional services between January 2018 and May 2019, internal documents have revealed.
Another data breach occurred in Roscommon Mental Health Service in August 2018, after a patient “forcefully extracted” a file from a doctor. On the same day, an X-ray film was found on a window sill at the hospital.
The breaches have been described as “serious incidents” by a patient advocacy group, which criticised the “careless custody” of individuals’ private medical records by the HSE.
Elsewhere within the Saolta group, misplaced patient records from Letterkenny University Hospital were found in a pub; and a staff member with Galway Mental Health Service accidentally posted a photo of a client on Facebook.
A breach also occurred at University Hospital Galway (UHG) when at least nine patients who had attended the hospital last April subsequently received a letter advising them that they had won money in the European Hospital Patient Lottery.
It is not known how the patients’ details were obtained, but a spokesperson for the group said that they “do not believe our systems were compromised”.
In February 2018, medical records that had been requested under the Freedom of Information Act were inadvertently issued by RUH to a solicitor instead of the individual to whom they related.
Last February, lab results sent by RUH to a patient’s GP were accidentally delivered to a member of the public.
“A patient’s right to privacy and confidentiality should not be violated by careless custody of their records,” said Stephen McMahon of the Irish Patients Association.
He said that, while “it’s not a witch hunt,” individuals responsible for data protection breaches should be identified, and there should be full disclosure to the patients or families affected.
A spokesperson for the health authority said an increase in the number of such incidents may be attributable to the enactment of the new General Data Protection Regulation (GDPR) in May 2018.
“The HSE takes all breaches of data protection seriously and all such cases are fully investigated to establish how they occurred,” she said. “After we investigate breaches… we put preventative measures in place to reduce the risk of such breaches happening again.”