The Data Protection Commission (DPC) has initiated an investigation into the Health Service Executive (HSE) after discovering that patient files were compromised due to improper storage practices. This breach, which involved unauthorized access to external storage facilities and the circulation of videos displaying sensitive medical records, has raised significant concerns about the security and retention of personal data. Notified to the HSE on Tuesday, this investigation marks the most significant action taken since the new data protection commissioners, Dale Sunderland and Des Hogan, assumed their roles in February.
The inquiry focuses on two specific locations where the data breaches occurred, with unauthorized individuals accessing and sharing videos of paper medical records. The compromised files suffered from conditions such as water damage, further exacerbating the issue. While the immediate investigation stems from these two breach notifications, Commissioner Hogan emphasized the need to look wider, assessing systemic issues and potential vulnerabilities across other areas.
The GDPR violations could result in substantial fines, with public bodies facing penalties of up to €20 million. The largest fine previously imposed on a state body was €110,000 on Limerick City and County Council for unauthorized CCTV installations. The commission’s 2023 annual report, highlighting a 20% increase in complaints, underscores the growing scrutiny on data protection practices. The report also notes significant fines, including a €1.2 billion penalty against Meta for data transfers from the EU to the US. This investigation into the HSE aims to address and rectify broader data protection challenges within public sector organizations.
