[BreachExchange] Cork hospital fined €65k after patients' personal data found in public recycling facility

[Destry Winant]

https://www.irishexaminer.com/news/arid-40075673.html

The Data Protection Commission (DPC) has handed down a €65,000 fine to
Cork University Maternity Hospital (CUMH) after the personal data of
78 of its patients was discovered disposed of in a public recycling
facility elsewhere in the county.

The complaint was first raised with the DPC in June 2019 after a
member of the public, who had discovered the documents, brought the
matter to the HSE’s attention.

The executive then reported the data breach to the DPC.

The breach, an infraction of the hospital’s responsibilities under the
EU’s General Data Protection Regulation (GDPR) which is understood to
have consisted of a large number of documents, equated to the personal
data of 78 people and the special category personal data of six of
them.

Special category data under GDPR is information of a particularly
sensitive nature, the exposure of which could be expected to
significantly impact the rights and freedoms of data subjects or could
be potentially used against them in a discriminatory fashion.

It includes information regarding individuals’ race or ethnicity,
religious beliefs, political opinions, biometric (identifiable) data,
sexual orientation, and health data.

The breach at CUMH is believed to have comprised sensitive health data
of patients, including medical histories and future planned programmes
of care.


In its decision, handed down on August 18, the DPC said that the HSE
had infringed Articles 5 and 32 of the GDPR by failing to “implement
appropriate technical and organisational measures to ensure a level of
security appropriate to the risk presented by its use and disposal of
hardcopy documents containing patients’ personal data”.

It is unknown whether or not any individual or individuals were held
accountable for the breach, or how the documents came to be disposed
of in the manner in which they were.

Regardless of what individual disposed of the documents, the hospital,
as data controller, would have been deemed responsible.

The DPC said it had applied an administrative fine of €65,000 on the
HSE for its infringements. The ruling has not been appealed.

“Cork University Maternity Hospital accepts the findings of the report
of the Data Protection Commission in full and are working to implement
all recommendations in the report,” said a spokesperson for the
hospital.

They said that all patients affected by the breach had been notified of it.

“The HSE takes all breaches of data protection seriously and all such
cases are fully investigated to establish how they occurred and
preventative measures are put in place to reduce the risk of such
breaches happening again,” they said.

“This is in addition to a comprehensive training and development
programme for staff in GDPR as well as a range of policies and
procedures designed to protect personal data.”

The DPC also ordered the HSE to bring its systems for processing and
disposing of patients’ information “into compliance” with GDPR
standards and issued the executive with a formal reprimand regarding
same.

The decision is just the fifth fine handed down by the DPC since GDPR
came into force in May 2018. The other four were delivered to child
and family agency Tusla.