The Data Protection Commission has opened an investigation into the Health Service Executive over data breaches related to videos of paper medical records being posted online.
The DPC said the inquiry concerns the storage and retention of personal data contained in paper records held by the HSE via its use of external storage facilities.
It is understood one of the incidents relates to a video posted on TikTok in November last year showing a person going through boxes of patient records in the now-vacant St Conal's Psychiatric Hospital in Letterkenny, Co Donegal.
The other incident is believed to have occurred at a Dublin facility.
Breaches of security at these facilities were notified to the DPC by the HSE.
We need your consent to load this rte-player contentWe use rte-player to manage extra content that can set cookies on your device and collect data about your activity. Please review their details and accept them to load the content.Manage Preferences
"The breaches notified to the DPC related to two specific locations which were accessed by unauthorised third parties and the circulation of videos taken from these locations showing paper medical records located at these facilities," the DPC said.
The HSE said the two separate data breaches occurred in 2023 and that it will co-operate fully with the inquiry.
"The HSE takes all breaches of data protection seriously and manages all breaches of data protection in line with data protection legislation and HSE policy," a HSE spokesperson said.
The Data Protection Commission has released its 2023 annual report, showing that last year was a record year for fines with penalties worth €1.55 billion being imposed.
This includes a €1.2 billion fine imposed on Meta in May 2023 over data transfers from the EU to the US.
In September 2023, the DPC fined TikTok €345 million following an investigation into the processing of children's data.
Meta and TikTok have appealed the rulings in the High Court.
In 2023, the DPC had its decisions to impose administrative fines on five different organisations, ranging between €15,000 and €750,000, confirmed in the Dublin Circuit Court.
All of these fines have been collected and transferred to the Irish Exchequer.
In February 2023, the DPC fined Bank of Ireland €750,000 for a series of data breaches relating to its Banking 365 app.
In January 2023, the DPC fined Centric Health €460,000 following a ransomware attack affecting patient data.
The DPC received 11,200 new cases from individuals in 2023, representing a 20% increase on 2022.
The commission received 6,991 valid breach notifications last year which also 20% up on the previous year.
In February of this year, Helen Dixon finished her term as Data Protection Commissioner and the Government announced the appointment of two new Commissioners, Dr Des Hogan and Dale Sunderland.
"My fellow Commissioner, Dale Sunderland, and I would like to take this opportunity to acknowledge with deep gratitude for Commissioner Helen Dixon's stewardship of the commission over the past ten years," Dr Hogan said.
Mr Sunderland said the breaches give rise to concern as to how the executive meets its obligations to secure physical records on its properties.
Speaking to RTÉ's Today with Claire Byrne, he said they have informed the HSE that investigations are underway.
"We're looking at how they secure physical records, how long they retain them for and whether they're meeting their obligations under data protection law," he said, adding that a range of files with highly revealing information were accessed.
Mr Sunderland said any organisation that retains personal data must do it securely and must not keep the information for longer than necessary.
He said his office had submitted a series of questions to the HSE, adding that it was "early days".
