Patients at a Dublin-based company, which conducts liver scanning procedures, have been informed of a significant data breach affecting the company's email system.
RTÉ's This Week programme has learned that the company, Liver Wellness, wrote to customers last month to say that the company's email account had been hacked.
The company said that the hacker had used the company's email account to write to customers asking them to share sensitive personal information in return.
In emails seen by the programme, the company told patients that they were treating the issue "very seriously" - and that they have notified the Data Protection Commission about the breach.
Liver Wellness is a private health screening company based in south Dublin, which specialises in scans and tests on patients' liver function.
Among the types of information which they keep on file are patient medical history; the patient's family medical history; what the company calls "medical social history" - which includes information such as a history of alcohol use; medical information provided by GPs; and also medical test information, such as blood tests, liver scans, and so forth.
Liver Wellness wrote to customers in mid-October.
In those emails, seen by RTÉ, the firm said that it had come to its attention that an "unauthorised access" to the Liver Wellness email account had occurred.
It said that as a result, customers received an unauthorised email requesting personal data.
In effect, someone took over the company's email address, and then sent out fake emails, meaning that some patients would have got an email into their inbox thinking that the company was looking for specific personal data off them.
There is no indication that any of the core information held by the company was accessed by hackers - but that customers may have been tricked into sending information themselves upon receipt of an email purporting to be from the company.
In its initial email to customers in October, Liver Wellness went on to say that it was taking the incident "very seriously" - and advised customers to delete any suspicious request for personal data.
It said its own IT team and Microsoft cybersecurity were working on the issue.
In a subsequent email, the company said that the incident had been reported to the Data Protection Commission and it was certain no further unauthorised access had taken place.
The company did not respond to a series of queries from RTÉ.
However, a spokesperson for the Data Protection Commission did confirm that it had received a notification of the breach at the end of October, and that it was currently engaged with Liver Wellness to gather more details about the incident.