GDPR

mario21 · 06-05-2023 7:21pm #1

I’m not sure if I’m posting in correct area so apologies if not. I’m a chronically ill person so lots of hospital records. Recently I’ve been made aware that someone (who I know vaguely through a friend) has looked up my file in the hospital I attend. Now I know Ireland is a small place but I was appalled and have requested my files back. I’m wondering should I take this further though but I’m under enough stress. Anyone any thoughts if this is an inappropriate post please delete but I’m not looking for legal advice at all. Thanks

micar · 06-05-2023 7:35pm

I assume these files are all digital.

Had the person any need to look up your file?

How were you made aware?

How certain are you that the person actually did this.

I would contact the complaint department in the hospital and ask if there was a possible breach here.

I don't know if a record is kept on who accesses patient records.

06-05-2023 7:43pm

I’m so sorry to hear of your situation. I’m presuming this person who looked at your records had no professional business doing so but either worked in a hospital/medical setting or that they had absolutely no business passing on information to an inappropriate individual such that you heard it back? Or someone who had no business at all being near any medical records and managed to hack in?

You would need to lodge a complaint to the healthcare facility. If that facility is still involved in your care they would need to maintain the record. You can always request your own medical records, but that doesn’t mean they delete the original. Now I’m very hazy about how you would go about getting records deleted, doctors / hospital may need to retain them for legal evidence of treatment given for their own indemnity.

06-05-2023 7:46pm

I’m currently in a position where I’m literally begging places to share my medical records so as I don’t have to repeat tests, especially a lumbar puncture, and am having difficulty in achieving this. It seems generally records are very protected in my experience.

mario21 · 06-05-2023 8:40pm

Thanks for feedback guys. I’m fairly certain to be honest but it was done to get basic information about me like addresses and phone. I think that’s all they’d see to be honest or maybe when I’ve been in the dates etc… I won’t go into too much detail but basically you know how small Ireland is with everyone knowing everyone. The person had no need to look me up and whilst they’d see very little I am wondering if there’d be a login which would point back to the person in question.

06-05-2023 8:46pm

It’s very difficult to know about a login, it entirely depends on individuals job role, organisation etc. if they have an administrative role in the place where you are registered then they would likely have access to the metadata.

Big Bag of Chips · 06-05-2023 8:59pm

If you have proof that this person accessed your personal information outside of the duties of their job, then you should contact the patient services department. All complaints are investigated. You will need to have some sort of proof though. "Fairly certain" mightn't be enough.

Clerical hospital workers have access to the names, addresses and telephone numbers of all patients registered in the hospital. They also have access to the list of scheduled appointments, hospital stays etc. They might not look you up specifically, but might see your information if searching for another patient of a similar name. Clerical staff are regular given vague information by doctors and nurses eg 'Paul Murphy, aged about 45, lives in Sligo'

So they will search for all Paul Murphys aged 40-50. They will then get a list of names and addresses and often times have to look through the list and their attendances to find the correct patient.

For clarity I work in a hospital. I have access to some medical information of pretty much everyone I know. I haven't time, or the inclination to be looking people up. It certainly wouldn't cross my mind to look a friend of a friend up. But sometimes I do inadvertently come across the name and address of someone I know. Sometimes I also deal directly with people I know. I don't mention who I am unless the person recognises me and mentions it first.

Contact the patient services office on Monday, with everything you know. Ask to he kept informed of the outcome.

06-05-2023 9:03pm

Also be wary of hacking in general, not to make anybody overly paranoid about it. I’m interested in various hacking methods purely as an interest, much as I am with many technical and scientific things.

There was the major HSE hacking with data sold on the dark web. I explore the dark web myself out of interest and have seen various data pertaining to some leaks being sold off for trivial sums. The point of some of these hackings is to demonstrate how the hacking organisations (eg dark Russian forces) can make data, sometimes fairly trivial stuff, but that puts two fingers to GDPR. The €20 for names & dates just encourages the curious to take a further look, but likely if limited value.

There’s such a thing as Google dorking (Google it), search methods that can uncover some leaked data. I have come across spreadsheets of emails & passwords, a good reason to change password regularly. Lots of gmail addresses, thousands. I’ve come across people’s (eg on Telegram messaging) ethereum wallet ids, but not the passcode to get in.

What I’m saying is there are methods of accessing data by outsiders of an organisation, so it may have nothing intentional to do with anyone working in a hospital, except for an original unfortunate hacking.

10-10-20 · 06-05-2023 9:35pm

You can ask the hospital's admin department whether they maintain audit logs. These types of logs enable a historical view of all access requests to your records on a patient management system. You should inquire whether these logs could be made available through a GDPR request.

mario21 · 06-05-2023 10:35pm

Yes I think it will be hard to prove. I’ve access in my own job to peoples information and wouldn’t look up anyone unless it was work related. This person quoted a list of my inpatient stays and I heard it back but it is hearsay… they aren’t working in admin but would be a doctor either. I was sent an appointment for a procedure at the hospital in question and I’ve postponed it as I feel really uneasy. I think it will be able to be traced back through log ins if they provide me that information as this person would be in an unrelated department and I don’t have a name that’s very common so it would be unlikely they’d accidentally search for it at all.

Big Bag of Chips · 06-05-2023 10:47pm

Well if this employee is telling other people about your inpatient stays then that is a breach and should be reported. As far as I'm aware the patient information system doesn't log who has looked up a record, only who has amended a record, but I might be wrong about that. Other system such as labs and radiology etc log who has accessed a record at all, just looking it up will leave a log.

GerardKeating · 26-05-2023 10:48am

https://www.boards.ie/discussion/comment/120563776#Comment_120563776

In a lot of hospitals, many medical records are still paper. Any time i visit, there have large stacks of paper records. Some will be digital, but a lot of paper.

Difficult to regulate/monitor/record access to paper records.

26-05-2023 3:04pm

https://www.boards.ie/discussion/comment/120642290#Comment_120642290

I know, when I got all my records from the Beacon, they were scanned copies of typed paper notes and handwritten stuff.

GDPR

Comments