'No identity theft in Tallaght data breach'

  • Niall Hunter, Editor

The Data Protection Commissioner has said no evidence has emerged of patient identity theft or the selling of patient data taking place as a result of a major medical data breach at Dublin's Tallaght Hospital.

During the summer, the Commissioner started investigating a major data protection breach arising in relation to the outsourcing by Tallaght of the transcription of medical notes on patients to an Irish firm based in the Philippines.

The Commissioner's office told irishhealth.com this week that as result of its investigation it was not aware that money was sought to access illegally the records concerned or of any issues of identity theft etc affecting any of the Tallaght patients whose records were used by the service.

However, the Commissioner says it is still investigating the situation regarding the outsourcing of patient data from other hospitals and individual consultants to the Philippines.

Tallaght Hospital confirmed back in August that patient medical reports had been the subject of unauthorised access and disclosure as a result of the outsourcing of transcription services.

Both the Data Protection Commissioner and the Gardai have been investigating the matter since the summer. Tallaght has been working with the National Bureau of Investigations in the Philippines on the issue.

During the summer, Tallaght secured a court order empowering the Philippines authorities to search the premises of the company concerned and seize relevant computer equipment.

The Data Commissioner told irishhealth.com that as part of the investigation, a forensic analysis report was carried out on seized servers and equipment at the Philippines office.

It said its investigations to date had ascertained that there was no evidence of identity theft or similar issues or that any attempt was made to sell confidential data in relation to the Tallaght patient reports. However, it was evident that an outside party did illegally get access to confidential patient data at some stage.

The report, according to the Commissioner, focused exclusively on records in relation to Tallaght and no information was contained in this report in relation to any other Irish-based health entity.

Following the revelation about the Tallaght patient data breach, it emerged that the firm which was subject to the investigation had also been used by other hospitals and individual consultants for medical report transcription outsourcing.

The Commissioner said it has sought the assistance of the Philippines authorities to establish whether any information on patient reports by other parties came to light during the analysis of the data retrieved following the seizure of computer equipment.

The Commissioner's office said it was continuing its investigations and was in contact with both Tallaght and 'all other Irish-based entities that used the transcription service.' It said the exact number of patients about whom confidential data may have been disclosed was not yet known.

Tallaght Hospital ceased using the transcription company, Uscribe, in May of this year and now uses another service for transcription.


Nickname: to be used for all future posts.
Notification: Tick this box if you wish to receive e-mail notifications of further posts on this topic