More than 600 patients have been impacted by a data breach at University Hospital Limerick
UNIVERSITY Hospital Limerick has launched an investigation into a major data breach in which a rogue non-HSE employee leaked personal details belonging to more than 600 patients, including 95 children, to the internet, the Limerick Leader can exclusively reveal.
According to a letter received by patients this week and seen by the Limerick Leader, the IT employee uploaded a file link—containing patients’ names, dates of births, and medications used—to Twitter.
The incident was reported to the gardai and the Data Protection Commissioner, and involved a High Court injunction to stop the individual from publishing this private information any further.
This data belonging to 630 patients, including 95 children, was taken from an automated system that is used at the Dooradoyle emergency department to dispense medication safely.
The individual was an employee of a company that was supporting this automated system, from which personal data was extracted “without HSE knowledge or approval”.
A spokesperson for the UL Hospitals Group said the data breach occurred between April 18 and 22 this year.
When the hospital became aware of the data breach on May 29, the HSE and the hospital group took “immediate actions”, after which social media giant Twitter “blocked the link to the data and disabled the account in question”.
A High Court order on June 5 restrained the individual from publishing this data any further, and directed the defendant to return all records and devices containing the confidential information.
In addition to gardai, the Data Protection Commissioner was notified on May 28.
However, the spokesperson said that all contacted patients are being advised that in spite of the High Court injunction “there remains a residual risk of future unauthorised disclosure”.
He said that the UL Hospitals Group has “apologised to our patients in writing for this data breach and for any distress this will cause.
“We are only now writing to patients as it has taken some time for UL Hospitals Group and the HSE to understand the nature and extent of the breach. We believe that the data has not been widely shared and that the manner in which it was published online would have taken a degree of technical knowledge to rebuild and make sense of. We have to date received no inquiries from any party who has accessed patient details online,” he explained.
The format in which the information was published was an SQL file, which can only be accessed using specific software.
In addition to a special helpline for those affected, a ‘serious incident management team’ has been established to “investigate this incident at a local level and take any necessary actions to further secure patient data”.
Patients who have not been contacted are unaffected by the data breach.
The company is no longer managing the automated system, and all passwords were changed immediately, the spokesperson added.