Data Breach at University Hospital Limerick
We are writing to 630 patients concerning a breach of patient data at University Hospital Limerick.
This relates to patients who attended the Emergency Department at UHL between April 18th and April 22nd last.
The data in question was extracted from an automated system used in the ED to dispense medication safely. It was extracted, without HSE knowledge or approval, by an employee of a company which was then supporting this system; and not by any employee of the HSE. This information was published online in the form of a file linked from a Twitter account.
This file contained personal data which included patients’ names, date of birth and the names of medications dispensed while they were in the ED. The medications were for the most part those you would expect to be dispensed in an emergency department (i.e painkillers and antibiotics).
We became aware of the breach on May 29th. Immediate actions were taken by the HSE and by UL Hospitals Group to protect patient data. Twitter blocked the link to the data and disabled the account in question.
An Garda Siochana were notified and the HSE obtained a High Court Order on 5th June 2020 restraining the individual concerned from communicating confidential information. This breach was also reported to the Data Protection Commission (DPC) on the 29th May.
We are only now writing to patients as it has taken some time for UL Hospitals Group and the HSE to understand the nature and extent of the breach. We believe that the data has not been widely shared and that the manner in which it was published online (an .SQL file)* would have taken a degree of technical knowledge to rebuild and make sense of. We have to date received no inquiries from any party who has accessed patient details online.
We are now writing to patients to comply with data protection regulations and to advise that there remains a residual risk of future unauthorised disclosure, in spite of the High Court injunction that remains in place to restrain the individual from further sharing data. Where the patients concerned are children, we are writing to their parents or guardians. Of the 630 patients involved, 95 are children.
We have apologised to our patients in writing for this data breach and for any distress this will cause. We have also set up a helpline and shared these details with the patients concerned. Patients who have not received a letter from us are unaffected by this data breach and are kindly requested not to phone the helpline.
This matter has been notified to An Garda Siochana and to the Data Protection Commissioner. UL Hospitals Group has also convened a Serious Incident Management team (SIMT) to investigate this incident at a local level and take any necessary actions to further secure patient data. It would be inappropriate to comment further on the matter at this time pending the outcome of any investigative process.
*SQL stands for structured query language. It is a programming language which is used to manage and retrieve data in a database. A database is a repository of data.
A Microsoft SQL database consists of two main types of file.
1. The data file (.mdf file) – The data file contains all the data in the database
2. The log file (.ldf file) – The log file is used to record transactional information on the database
The data file has a suffix of .mdf and the log file has a suffix of .ldf.
These database files on the file system are not human readable without the use of either the Microsoft SQL Server software or a freely available SQL viewer.
An SQL database opened in a programme such as Notepad, for example, is not readable. However, there are readily available online tools where you can view these files without having prior SQL server knowledge or access to a SQL server environment.