Finder of patient details accused by HSE of data breach
From the no-good-deed-shall-go-unpunished-until-we-find-where-we-misplaced-our-common-sense dept., Catherine Shanahan reports:
A man who found sensitive patient data on a city centre street and who highlighted his concerns in the media has been accused by the HSE of a data breach.
Luke Field, who found data containing patient names and details of surgical procedures on the pavement of South Terrace, Cork City on Friday, April 26, attempted to report his find to the appropriate data protection officer in the HSE South the following day. However, the office was closed over the weekend.
He then contacted Cork University Hospital (CUH) as the data related to patients attending its plastic surgery department, and was advised by a staff member to return the data to reception in a sealed envelope, and that it would be processed after the weekend.
Mr Field, a Labour candidate for Cork City South Central in the upcoming local elections, said he held off on returning the data as he wanted to hand it back to someone “with direct data protection responsibility”. He decided to contact the media to highlight the delay he encountered when trying to report his find to the appropriate official, as there was no out-of-hours contact service.
However, the HSE said because Mr Field “voluntarily disclosed” the data to a third party — the Irish Examiner — this constituted “an unauthorised disclosure” of personal data and that Mr Field is now obliged to report his own disclosure “as a further data breach to the Data Protection Commissioner”.
Read more on Irish Examiner while I mutter to myself some more.
So anyone who discovers a leak or breach and provides evidence of it to the media has now committed their own breach of the data protection laws? Surely that cannot be.
I hope they sort this one out.