BAILII [Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback]

Irish Data Protection Commission Case Studies
You are here: BAILII >> Databases >> Irish Data Protection Commission Case Studies >> CASE STUDIES 2013 - Data Protection Commissioner - Ireland [2013] IEDPC 17 (2013)
URL: http://www.bailii.org/ie/cases/IEDPC/2013/2013IEDPC17.html
Cite as: [2013] IEDPC 17

[New search] [Contents list] [Help]

Case Study 17: Medical files sent to incorrect email address
 
The Office received a data security breach notification from a G.P. which reported that an email containing a patient file had been sent to an incorrect recipient. This was the result of a typographical error when entering the email address. The patient file was exported from the software system used by the G.P and attached to the email. The data controller became aware of the matter when the intended recipient contacted the data controller advising that they had not received the email.
 
The data controller advised our Office that they had notified the affected individual of the matter.
 
As part of our investigation into the matter, we contacted the software supplier to determine how easy it would be for a third party to access a patient file exported from their system. The software company stated that only an individual with a registered copy of their software could open or access the patient file. The file would have to be imported into the software system to be read. Our Office asked whether there was any other software that could be used to open the file. We were advised that the file could not be opened in a legible format outside of their own software.
 
The data controller also advised our Office that, as a means of preventing the repeat of such an incident, it proposed that, where it was sending a patient file to another G.P., that the receiving G.P. must first send it an email requesting the patient file. The data controller can then reply directly to the email, ensuring the correct address is used.
 
The data controller also sought our advice on raising this issue in a public forum as a means of raising awareness of the dangers. We responded by stating we had no objections to such a course of action, provided that no personal data was disclosed.
As our Office was advised by the software company that the email could not be accessed by the recipient, we recorded the matter as a non-breach.
 
This issue highlights the necessity for sending sensitive data, such as medical data, via a secure means. It shows how easy it is for emails to be issued to an incorrect recipient and without some means of securing the data contained within the email, could be disclosed to an unauthorised party.
 
 

BAILII: Copyright Policy | Disclaimers | Privacy Policy | Feedback | Donate to BAILII
URL: http://www.bailii.org/ie/cases/IEDPC/2013/2013IEDPC17.html