UHL personal data breach – a cause for concern for over 600 patients

At a glance:

The data of 630 patients who had attended the Emergency Department of University Hospital Limerick between the 18th and 22nd April 2020, including their name, date of birth and names of medication dispensed to them had been published on Twitter. Those patients were notified by UL Hospital Group by letter about this data protection law breach. We explain what you can do if you were impacted by this breach.  

We have had a number of enquiries from people in the last two weeks on foot of a letter received from UL Hospital Group at the start of this month confirming that a breach of their personal data occurred earlier this year.  

The letter confirmed that data of patients who had attended the Emergency Department of University Hospital Limerick between the 18th and 22nd April 2020, including their name, date of birth and names of medication dispensed to them had been published on Twitter by an employee of a company engaged by the hospital to manage an automated medication system. The letter states the data was taken and published without the consent of UL Hospital Group or the HSE.  

According to the letter the HSE became aware of the breach on the 29th May 2020, at which time Twitter blocked the link to this data and disabled the account in question. The letter does not confirm the date the Twitter link was published by this individual, and so there is some uncertainty as to how long the link was up online. According to the letter the hospital’s technical experts do not believe the data was widely shared online.  

The letter says that while UL Hospital Group have taken certain steps to limit the breach, including notifying An Garda Síochána and the Data Protection Commissioner (DPC), there is still a residual risk of further unauthorised disclosure of the data.  The reasoning provided in the letter for the delay in notifying of the breach is due to how ‘complex and difficult to find out the precise nature of the information disclosed and how widely it was shared’. 

The letter finished by giving an apology from the HSE and UL Hospital Group for any distress caused by the incident. It has been reported that the data leak involved the personal data of 630 patients, of which 95 were children. 

GDPR and breaches of your data rights 

Under the General Data Protection Regulations (GDPR) people, or data subjects, are given rights in terms of their personal data, including means to enforce those rights against data controllers and data processors, when breaches of their personal data occur. There is no doubt a personal data breach as defined in the GDPR occurred due to the publication of the UHL patient information. Indeed details of medication patients were prescribed would be considered ‘sensitive personal data’ under GDPR. 

When a personal data breach occurs, there are two options for redress open to data subjects; a complaint to the DPC or a legal claim.  

A complaint can be made to the DPC online when a data breach occurs, and the DPC are then obliged to provide you with an update or outcome report within three months. If the investigation of a data breach goes on for longer, the DPC will provide updates at three month intervals thereafter. The DPC have a variety of powers to reprimand organisations where infringements of GDPR are found to occur, including temporary or permanent bans on processing personal data or administering fines. 

The DPC website contains very useful information is this regard and a link to their website is provided here. 

The right of a person who has suffered a data breach to make a legal claim is contained in Article 82 GDPR which says: ‘Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.’ 

 What do you do following a breach of your personal data rights? 

Often you will not be aware that breach of your personal data rights has occurred. Since the GDPR was adopted in Ireland, where a data controller or data processor discover a data breach has occurred, they are obliged to report this data breach to both the data subject and the DPC within a certain timeframe.  

As the area of data protection law is quite technical it is advisable for people who have received a notification that their data rights have been breached to contact a solicitor for legal advice.  

If you have received a letter in relation to the incident, and you have concerns then please contact Ed Kelly, Solicitor on 061 445553 or via email at info@homsassist.ie .