DOZENS of Clare patients are expected to be affected by a breach of patient information at University Hospital Limerick.
The UL Hospitals’ Group are writing to 630 patients including 95 children concerning a breach of patient data in relation to their attendance at the Emergency Department in UHL between April 18th and April 22nd last.
The data in question was extracted from an automated system used in the ED to dispense medication safely, according to a statement issued by the group.
It was taken, without HSE knowledge or approval, by an employee of a company, which was then supporting this system; and not by any HSE employee.
This information was published online in the form of a file linked from a Twitter account.
This file contained personal data including patients’ names, date of birth and the names of medications dispensed while they were in the ED. The medications were primarily painkillers and antibiotics.
The group became aware of the breach on May 29th. Immediate actions were taken by the HSE and by UL Hospitals’ Group to protect patient data. Twitter blocked the link to the data and disabled the account in question.
An Garda Siochana were notified and the HSE obtained a High Court Order on June 5, 2020 restraining the individual concerned from communicating confidential information. This breach was also reported to the Data Protection Commission (DPC) on May 29.
The group stated it is only now writing to patients as it has taken some time to understand the nature and extent of the breach.
It believes that the data has not been widely shared and that the manner in which it was published online in the form of a Structured Query Language (SQL) file would have taken a degree of technical knowledge to rebuild and make sense of.
SQL is a programming language, which is used to manage and retrieve data in a database. A database is a repository of data.
These database files on the file system are not human readable without the use of either the Microsoft SQL Server software or a freely available SQL viewer.
Earlier this week, the group had received no inquiries from any party who has accessed patient details online.
The group is now writing to patients and guardians to comply with data protection regulations and to advise that there remains a residual risk of future unauthorised disclosure, in spite of the High Court injunction that remains in place to restrain the individual from further sharing data.
The group has apologised to its patients in writing for this data breach and for any distress this will cause. It also set up a helpline and shared these details with the patients concerned. Patients who have not received a letter from the group are unaffected by this data breach and are kindly requested not to phone the helpline.
This matter has been notified to An Garda Siochana and to the Data Protection Commissioner. The group has also convened a Serious Incident Management team (SIMT) to investigate this incident at a local level and take any necessary actions to further secure patient data.
Dan Danaher