A picture of a patient “inadvertently” shared to a private WhatsApp group, screening slides lost by a contractor as well as “misplaced” medical records were among data protection breaches at the HSE last year.
There were 624 data protection breaches notified at the health service last year, according to an anonymised log obtained by The Irish Times under the Freedom of Information Act.
This was an increase on the 620 breaches recorded in 2023.
Almost one-third (219) of the breaches related to letters being sent to the wrong address or to the wrong recipient. In addition, 140 breaches related to incorrect procedures when e-mailing, either identifying recipients or sending to the incorrect recipient.
RM Block
Many incidences in the 2024 data breach record related to the health system still operating on a paper-based system, which can lead to misplaced paper files as well as out-of-date postal addresses.
According to the log, on September 23rd last year, in the Sligo/Leitrim area, images of a service user were “inadvertently” shared in a private WhatsApp group.
A similar incident happened at an unknown date in at St Camillus Hospital, Limerick, with the log stating: “Images and health data of service users were shared in a private WhatsApp group”.
[ Social workers ‘afraid’ to share information about children due to GDPR concerns ]
On December 20th, the national screening service reported a data breach after a contracted service “lost slides”.
The protection of medical records was also an issue that occurred on a number of occasions.
In the Child and Adolescent Mental Health Services (Camhs) in Limerick, an employee “disclosed medical data of a service user to a third party without the consent of the service user”.
In the vaccination service in CHO4 area, which accounts for Kerry and part of Cork, records were “mislaid” but subsequently located.
In a community mental health team in Dublin northwest, a staff member’s backpack containing service documents was stolen.
In a statement, an HSE spokeswoman said the organisation took “all breaches of data protection seriously”.
“Where breaches do occur, the HSE investigates cases to understand how they occurred and preventive measures are put in place to reduce the risk of such breaches happening again,” she said.
“Such preventive measures include further staff training focusing on the root cause of data breaches, revision of guidance documents based on learning from incidents and raising the awareness of the importance of data protection through staff communications channels and the use of additional learning tools (videos).”
The health service is seeking to move towards using more digital technology, having earlier this year launched its health app, which now displays appointments from 32 hospitals.
“During 2026, we will start to provide people with the option to receive their health service communications securely through the app and increase the use of SMS for appointments,” the spokeswoman said.
