The Data Protection Commission (DPC) has opened an investigation into the Health Service Executive (HSE) over data breaches related to the storage of paper medical records.
The DPC said the inquiry concerns the storage and retention of personal data contained in paper records held by the HSE via its use of external storage facilities.
Breaches of security at these facilities were notified to the commission by the HSE.
“The breaches notified to the DPC related to two specific locations which were accessed by unauthorised third parties and the circulation of videos taken from these locations showing paper medical records located at these facilities,” the DPC said.
The HSE said the two separate data breaches occurred in 2023 and that it will co-operate fully with the inquiry.
“The HSE takes all breaches of data protection seriously and manages all breaches of data protection in line with data protection legislation and HSE policy,” a HSE spokesperson said.
The DPC has today released its 2023 annual report showing that last year was a record year for fines with penalties worth €1.55 billion being imposed.
This includes a €1.2 billion fine imposed on Meta in May 2023 over data transfers from the EU to the US.
In September 2023, the DPC fined TikTok €345 million following an investigation into the processing of children’s data.
Meta and TikTok have appealed the rulings in the High Court.
In 2023 the DPC had its decisions to impose administrative fines on five different organisations, ranging between €15,000 and €750,000, confirmed in Dublin Circuit Court.
All of these fines have been collected and transferred to the Irish exchequer.
In February 2023, the DPC fined Bank of Ireland €750,000 for a series of data breaches relating to its Banking 365 app.
In January 2023, the DPC fined Centric Health €460,000 following a ransomware attack affecting patient data.
The DPC received 11,200 new cases from individuals in 2023, representing a 20% increase on 2022.
The commission received 6,991 valid breach notifications last year which also 20% up on the previous year.
In February of this year, Helen Dixon finished her term as Data Protection Commissioner and the Government announced the appointment of two new commissioners, Dr Des Hogan and Dale Sunderland.
“My fellow Commissioner, Dale Sunderland, and I would like to take this opportunity to acknowledge with deep gratitude for Commissioner Helen Dixon’s stewardship of the Commission over the past ten years,” Dr Hogan said.
Mr Sunderland described 2023 as a landmark year.
“The year saw a significant increase in complaints dealt with by the Data Protection Commission with record fines issued and corrective orders imposed following cross-border and national inquiries,” he said.
