Tallaght unaware of data firm switch

  • Niall Hunter, Editor

Tallaght Hospital has said the company it used by for many years for the outsourcing of medical transcription services failed to tell it that it had changed ownership twice between 2009 and 2011.

A probe is currently underway into how a major patient data confidentiality breach occurred relating to the outsourcing of transcription services by the hospital.

The Data Protection Commissioners' Office, which is currently investigating how sensitive patient information got into inappropriate hands as a result of the data breach, told irishhealth.com the change of ownership is one of the factors being looked into as part of its investigation.

From 2004 until May of this year, when the contract was terminated, Tallaght was using a private firm, UScribe, to transcribe some of its medical reports and letters and under this arrangement, material was being sent to the Philippines for transcription.

The hospital admitted earlier this month that patient information had been subject to unauthorised access and disclosure.

The Hospital told irishhealth.com that the ownership of UScribe changed in 2009 to another firm, Health Office, and the ownership reverted to U-Scribe in 2011.

"The ownership of UScribe changed in 2009, reverted to the original owner (UScribe) in 2011, but the company failed to advise the hospital of this. The intermediate owner was Health Office, based in the Philippines. U-Scribe did not inform the hospital about these two changes of ownership."

A Tallaght siokesperson said while there was no legal obligaiton on the company to advise it of such a change, 'in such circumstances suppliers would normally inform customers of any significant change of ownership.'

Tallaght Hospital has said it terminated its transcription contract with the UScribe firm in May of this year, following an evaluation of the contract initiated the previous year. It has now employed a new transcription service provider.

The hospital says it has always been the case that all material for transcription be encrypted and this practice has always been followed. However, it admitted that while it has been policy since 2010 that no patient identifiers should be used "regrettably, this policy has not always been followed in practice."

The Tallaght data breach is currently being investigated by the Data Protection Commissioner and the hospital has also asked the Gardai for assistance.

The hospital said its IT director has gone to  the Philippines to assist their legal authorities. The hospital has also been liaising with the National Bureau of Investigations in the Philippines and the UK Information Commissioner.

A spokesperson for the Data Protection Commissioner's office said the changes of ownership of the transcription  company formed one of the key components of its current investigation.

It is expected that the Commissioner's probe will take some time to reach a conclusion, given the number of agencies involved and the complexity of the issue.

Labour TD for Dublin Mid-West Robert Dowds told irishhealth.com said he would be concerned that in a situation where sensitive material was being handled, that that there had been changes in the ownership of the transcription company and the hospital had not been informed about this.

Deputy Dowds, who recently met with Tallaght Hospital management on the issue, said he indented to raise the data protection issue at the Oireachteas Health Committee.

Around four other hospitals and many individual doctors who used UScribe are also being contacted by the Data Commissioner. To date, no evidence has emerged that patient data breaches occurred outside Tallaght Hospital.

UScribe's Dublin office was contacted for comment but no response was forthcoming.



Nickname: to be used for all future posts.
Notification: Tick this box if you wish to receive e-mail notifications of further posts on this topic