Cyber Incident Victim: University Hospital Limerick
Date:
Oct 2020
Location:
Ireland
Summary
A data breach at University Hospital Limerick exposed personal and medical information of 630 patients, including 95 children, after alleged unauthorized access by a non-employee. The compromised data included names, dates of birth, and prescribed medications from the hospital's emergency department records. The information was subsequently posted on social media platforms, prompting the hospital to notify affected individuals via letters and involve law enforcement authorities in the investigation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around October 6, 2020, University Hospital Limerick (UHL) initiated notifications to 630 patients regarding an alleged major data breach involving their personal and medical information. The breach came to light after unauthorized individuals posted patient data on Twitter, prompting UHL to engage in a formal response process. The compromised data included patients' names, dates of birth, and details of medicines dispensed during their visits. This information was extracted from a computer system associated with the Emergency Department at UHL, specifically targeting records from April 2020. Among the affected individuals were 95 children, heightening concerns about the sensitivity of the exposed data. The hospital confirmed the breach involved a non-HSE employee, though no further details about the perpetrator's identity or motives were disclosed. UHL's immediate action included drafting individualized letters to all impacted patients to inform them of the incident and its scope. Concurrently, the hospital reported the breach to Ireland's national police force, An Garda Síochána, initiating a law enforcement investigation into the unauthorized access and dissemination of records. The incident raised operational questions about data access controls within the hospital's Emergency Department systems during the referenced timeframe.
The breach exposed highly sensitive medical information, including prescription details, which could potentially be exploited for identity theft, fraud, or harassment. Public exposure via Twitter amplified privacy risks, as the platform's broad reach made containment of the disseminated data challenging. UHL's response focused on regulatory compliance and patient transparency, adhering to breach notification protocols mandated under data protection laws. No information was disclosed regarding technical remediation measures, system audits, or changes to access controls following the incident. The involvement of a non-HSE employee suggested potential vulnerabilities in third-party or contractor access management, though the hospital did not elaborate on this aspect. Gardaí assumed investigative jurisdiction, indicating the incident was being treated as a potential criminal matter. The breach occurred during a period of heightened strain on healthcare systems due to the COVID-19 pandemic, though no direct link between pandemic operations and the breach was asserted. UHL's public communications emphasized procedural adherence to breach response guidelines without detailing long-term mitigation strategies or patient support services beyond initial notifications. The incident remained under active investigation by authorities at the time of reporting.