TikTok video revealing access to medical records spurs inquiry into HSE data breaches
Regulators have opened an investigation into two Health Service Executive (HSE) data breaches after videos posted online showed people accessing medical records which were supposed to be in secure hospital storage.
The inquiry by the Data Protection Commission (DPC) comes after the HSE notified it of incidents last year at a Dublin hospital and at a building in the old St Conal’s psychiatric hospital in Letterkenny, Co Donegal.
The DPC is the national supervisor responsible for enforcing data privacy law.
The Dublin incident in October was livestreamed online, it is understood. In the Letterkenny incident in November, a TikTok video showed people going through boxes of historical medical files.
“The inquiry into the HSE concerns the storage and retention of personal data contained in paper records held by the HSE via its use of external storage facilities and breaches of security which were notified to the DPC by the HSE,” said Graham Doyle, a deputy commissioner with the DPC.
“The breaches notified to the DPC related to two specific locations which were accessed by unauthorised third parties and the circulation of videos taken from these locations showing paper medical records located at these facilities.”
Asked about the investigation, the HSE said it will “co-operate fully” with the inquiry.
“The HSE today received a Notice of Commencement of an Inquiry from the Data Protection Commission into two separate HSE data breaches which occurred in 2023,” it said in reply to questions.
“The HSE takes all breaches of data protection seriously and manages all breaches of data protection in line with data protection legislation and HSE policy.”
News of the HSE data breaches came as the DPC published its 2023 annual report, saying the number of data breach notifications rose 20 per cent to 6,991 in the year. The body also reported a 20 per cent rise to 11,200 in the number of cases it processed.
[ X executive collars Irish data protection commissioners for chat in Madrid ]
The DPC has sweeping powers to supervise the pan-European operations of big tech companies such as Facebook, Google and TikTok which have their EU headquarters in Ireland.
The institution had 51 cross-border inquiries on its books at the end of 2023 under the EU general data protection regulation (GDPR), a body of law in force for six years which aims to tighten control over how business uses personal data. The 2023 list includes six ongoing investigations into Facebook owner Meta, three into Google and two into X, formerly Twitter. Investigations into Yahoo!, LinkedIn, Yelp and Tinder were also set out.
The Irish regulator imposed a record €1.2 billion fine one year ago on Meta over data transfers to the US, and fined TikTok €345 million in September for violating children’s data. The companies have appealed the penalties.
Asked when an ongoing inquiry into TikTok data transfers to China will reach its conclusion, DPC chairman Dr Des Hogan indicated the commission was close to sending a draft decision for scrutiny by its European counterparts.
“At the moment we are hopeful of moving that into the Article 60 process over the summer period,” Dr Hogan said, referring to a GDPR procedure.
Dr Hogan and DPC commissioner Dale Sunderland took office in February in succession to Helen Dixon, who had chaired the institution for 10 years.
Asked whether large fines such as the Meta and TikTok penalties had led big tech companies to change their behaviour when it came to privacy violations, Dr Hogan said complaints received by the DPC showed “we’re not at the end of the road”.
[ Data Protection Commission defends record after article labelling Republic a ‘corporate crime haven’ ]
“If everything was fine there wouldn’t be a need for a regulator or the regulator’s role would be slightly different,” he added.
“The fact that we continue to receive complaints and we continue to receive infringements means that this is an ongoing area that needs robust regulation.
“So in terms of whether they have learned their lesson or not, it’s not so much learning a lesson. It’s more taking on board the principles of the GDPR and incorporating that into the way that they operate.”