The HSE and the Data Protection Commissioner have opened investigations into the reported discovery of private medical records of patients in a bin outside Roscommon General Hospital.
Dozens of files allegedly belonging to hundreds of patients at the Midland Regional Hospital in Mullingar containing names, addresses and detail of sensitive medical tests were discovered outside Roscommon Hospital, 47 miles away.
The files were discovered early last week by a woman walking her dog and they were handed over to the Roscommon Hospital Action Committee. The committee, which has been campaigning against the downgrading of A&E services at Roscommon, reported the discovery to the Data Protection Commissioner.
The data commissioner's office has received the documents and gardaí have been informed about the breach.
Deputy data protection commissioner Gary Davis said that from his initial investigations he was satisfied that the cause of the breach lay entirely within the HSE. He added that the hospital action committee had acted in good faith in the matter.
In a statement earlier, the HSE said it had “very clear policies in place” for the disposal of confidential documents and said it takes any potential breach of these policies “extremely seriously”.
Roscommon Hospital Action Committee chairman John McDermott said there was no attempt to shred the documents or block out personal details before they were dumped.
“There was a variety of documents. One document would have the patient’s name and address, chart number, diagnoses, treatment,” he said.
“Some of them would have been typed and there would have been additional notes in Biro on them. And then you would have reports on things like colonoscopies, CT scans.” Mr McDermott said.
A personal data security breach code of practice approved by the office of the Data Protection Commissioner under the Data Protection Act compels organisations that have lost control of personal data to report the incident as soon as they become aware of the incident.
The records in question reportedly contain private information pertaining to patients who have received treatment in another Midlands hospital.
The latest discovery comes after an investigation was opened into a suspected data breach involving the records of patients of Tallaght hospital in Dublin. The hospital confirmed last week that there had been “unauthorised access and disclosure” of material sent to the Philippines for transcription by the company Uscribe.
A number of other hospitals subsequently confirmed they have used the services of the company at the centre of the suspected data breach.
The data commissioner has the power to open its own investigation into breaches of personal data which can include on-site examination of systems and procedures and could lead to a recommendation to inform those affected about the security breach.
Additional reporting: PA