Tallaght hospital in Dublin has claimed police raids on a company based in the Philippines have established that an offence was committed in relation to a data breach involving sensitive patient records.
More than 60 Irish hospitals, doctors or other health facilities are now involved in the investigation into how such records fell into “inappropriate hands”, it has emerged.
Tallaght confirmed earlier this month that there had been “unauthorised access” to records it had sent to a private company, Uscribe, for transcription. While that company has and Irish office, the records were sent on to its Philippines office.
Acting chief executive at Tallaght hospital, John O’Connell, confirmed today that Uscribe’s Philippines offices were raided by police last week as part of the investigation.
This established that an offence had been committed, he said.
Mr O’Connell said the IT director of the hospital had travelled to the Philippines and had secured a court order empowering the authorities there to search the premises of the transcription service and to seize all electronic equipment and data.
He said that following a police raid on those offices last Thursday (August 4th) this data was now being examined by the Philippines authorities, who would report to their courts before September 7th.
“This investigation will show the extent of data which remains on the transcription system in the Philippines.”
Mr O’Connell said that at the end of the process, such data would be “deleted irretrievably” as it was already held by Tallaght hospital.
“An offence has been committed. Tallaght Hospital is determined that those responsible be pursued in all appropriate jurisdictions,” he added.
Mr O’Connell said that as soon as it became evident that some patient information had got into inappropriate hands, the hospital “worked with authorities in Ireland and the Philippines to determine the extent of the information breach and to ensure that this could not reoccur”.
He said the hospital had worked very closely with the Data Protection Commissioner throughout the investigation.
The hospital stopped using the services of Uscribe in May and “now has state-of-the-art and robust procedures with a new service provider”, Mr O’Connell said.
The Tallaght records initially under investigation were records of patients’ consultations with doctors rather than full medical records.
The Data Protection Commissioner has sent letters to all 60 health clients of Uscribe and has told them he expects a response by the end of the month.
Deputy data protection commissioner Gary Davis said today his office had a concern that “it just wasn’t possible” that the data breach could be confined to Tallaght hospital, given the number of health clients of Uscribe whose data was also being sent to the Philippines.
“Anything that made its way to the Philippines was affected,” he said.
Mr Davis said his office had written to the 60 bodies or individuals and was “going to make them take responsibility for the decisions they have made”.
The majority of the 60 clients are doctors and consultants. Only about four are hospitals.
Mercy University Hospital in Cork has used the company for several years and Peamount Hospital in Dublin has also said it continued to use the service without problems.
Galway University Hospital outsourced transcription to Uscribe for a six-month period several years ago.
Uscribe did not respond to a request for comment.