The Data Protection Commission (DPC) has initiated an investigation following the unauthorized access to personal data contained in paper records held by the Health Service Executive (HSE). Regulators launched an investigation after online videos showed unauthorized individuals accessing medical records that should have been securely stored in a hospital.
According to the DPC, the national agency in charge of enforcing data privacy regulations, the breaches took place at two separate facilities – one in Dublin and another in Donegal.
The HSE takes all breaches of data protection seriously and manages all breaches of data protection in line with data protection legislation and HSE policy.
Graham Doyle
The commission stated that its inquiry would focus on the storage and retention of important data stored in records held by the HSE via its use of external storage facilities, as well as any security lapses that led to these breaches.
Access to confidential medical data stored at a hospital in Dublin was caught on camera in a controversial TikTok video. Meanwhile, in Donegal, a TikTok user discovered thousands of medical files at an abandoned building belonging to the HSE.
Graham Doyle, a deputy commissioner with the DPC, noted that the investigation will examine how the HSE handled and stored sensitive information. The DPC stressed that the personal data contained in these documents should have been destroyed under proper protocols.
In response to inquiries about the investigation, the HSE has acknowledged the receipt of the notice of commencement of the inquiry and pledged to cooperate fully. In its statement, the agency confirmed that it had been notified about these incidents last year and reported them to the DPC.
Data breach trends and regulatory oversight
According to the DPC’s annual report, the number of data breach notifications in 2023 rose by 20% to 6,991. The commission also processed 11,200 cases during this period.
As a regulator, the agency has supervisory powers over the operations of tech giants like Facebook, Google, and TikTok in the EU, all of which have their headquarters in Ireland. By the close of 2023, regulatory bodies were engaged in 51 cross-border investigations addressing GDPR non-compliance among various entities. This included probes into Meta, with six inquiries, Google, with three, and the company formerly known as Twitter, now X, with two, among additional cases.
A year ago, Meta faced a historic €1.2 billion fine from the Irish regulator for data transfers to the US. Meanwhile, TikTok incurred a €345 million penalty in September for violating children’s data protection. Both companies have since appealed these fines.
The DPC is finalizing an ongoing inquiry into TikTok data transfers to China, and European counterparts are expected to review a draft decision soon. Dr Des Hogan, chairman of the government agency, expressed optimism that this process could reach a conclusion during the summer.
When asked whether large fines imposed on tech companies have changed their behavior regarding privacy violations, he stated that although progress has been made, there’s still work to be done based on the complaints received by the PC.
“The fact that we continue to receive complaints and we continue to receive infringements means that this is an ongoing area that needs robust regulation,” Dr Hogan stated.
If everything was fine there wouldn’t be a need for a regulator or the regulator’s role would be slightly different,
Dr Des Hogan
Core insights
The DPC has launched an investigation into the unauthorized access of personal data held by the HSE following incidents caught on video. Deputy Commissioner Graham Doyle highlighted concerns regarding how the agency handled sensitive information, emphasizing the necessity of proper protocols.
The HSE has pledged full cooperation with the inquiry and acknowledged the breaches reported last year. This incident underscores the critical importance of securely managing sensitive data in an era of increasing digitalization.
