Two data breaches at the HSE last year relate to records held at facilities in Dublin and Donegal, the Data Protection Commissioner has said.
An investigation has been launched after paper records containing personal information were posted on social media.
The Data Protection Commission (DPC) says its inquiry concerns the "storage and retention of personal data contained in paper records" and breaches of security at external storage facilities where these records were held.
The HSE has received a notice of commencement of an inquiry from the DPC and says it will fully cooperate.
Data Protection Commissioner Dale Sunderland told The Pat Kenny Show how the investigation came about.
"We have informed the HSE that we've commenced an inquiry under the Data Protection Act to look into how the HSE manages its physical files and retention and storage across the estate of HSe facilities," he said.
"Late last year the HSE made two breach notifications to us.
"Records stored in two facilities - one in Donegal and one in Dublin - had been authorities by unauthorised persons who had taken video of personal data... and had posted them online".
'Sensitive data'
Commissioner Sunderland said the DPC wants to look at the HSE systems in a broader context.
"Any personal data - in particular health data which is sensitive data - should be maintained and stored in very secure locations, and not retained for longer than it should be," he said.
"We want to look at this in a broader context across the HSE estate facilities and how they manage such records".
File photoCommissioner Sunderland said the DPC remit covers both digital and paper records.
"The GDPR extends to all forms of personal data in both digital and hard copy records where such records would have formed part of a filing system," he said.
"They relate to individuals' files [which] were clearly put away in some form of storage but significant issues arising from that as to how they were accessed and how they were secured".
A hacker coding a computer virus, 29-3-19. Image: Westend61 GmbH / AlamyCommissioner Sunderland said the issue came to light because of videos of the records posted on social media.
"It was evident from some of those videos that personal data was contained in the records and there was different types of medical records," he said.
"That's the underlying concern and that's how it came to our attention and to the attention of the HSE."
Commissioner Sunderland added that the inquiry will look at the HSE's responsibility as a data controller.
