Major data breach at UL Hospitals Group exposes patient info - Gript

MAJOR DATA BREACH AT UL HOSPITALS GROUP EXPOSES PATIENT INFO
UL Hospitals Group, responsible for managing six hospitals in the midwest region, announced a significant data breach resulting in the inadvertent sharing of personal and medical information belonging to over 1,000 patients with an unknown third party.

The breach occurred in January when a staff member mistakenly sent the data to an unidentified recipient.

The affected patients received gastroenterology services at University Hospital Limerick, Ennis Hospital, and Nenagh Hospital between 2018 and January 2023. The breach involved an email attachment containing “patient names, dates of birth, medical chart numbers, and limited medical information,” according to ULHG in a statement. However, no personal contact details like phone numbers or email addresses were compromised.

Despite immediate efforts to retrieve the email and recover the data, the UL Hospitals Group has been unsuccessful thus far. The recipient of the email remains unidentified, and it is uncertain whether the email account is active or dormant. The group has not discovered any evidence indicating further disclosure, sharing, or publication of patient information since the initial breach.

Upon discovering the breach internally on January 25th, UL Hospitals Group promptly reported the incident to the Data Protection Commissioner on January 31st. Now, the group is directly contacting affected patients to inform them of the breach and extend apologies.

This is not the first time there was a data breach at the Limerick Hospitals Group. In a separate incident in April 2020, allegations emerged that a non-HSE employee had shared personal and medical data of 630 patients, including 95 children, who had visited the Emergency Department at University Hospital Limerick. ULHG contacted these patients in May 2020 to notify them of the alleged breach, which led to the Gardaí being called in to investigate.

Additionally, more than 100,000 individuals impacted by 2021’s HSE cyberattack – the worst cyberattack in Europe that year – were contacted by the health service, with the HSE reviewing and assessing the data, in collaboration with the Data Protection Commissioner, to determine the extent of the breach and any associated risks.

Although the majority of the affected data was less sensitive, a minority of individuals may have had more confidential information compromised.

Ireland’s National Cyber Security Centre (NCSC), headed by Communications Minister Eamon Ryan, is tasked with preventing and responding to cyber attacks on critical systems and networks within the state. The organisation has a budget of just €7 million and employs a total of 25 staff as of 2022.