ERR has received information about a person who went to West Tallinn Central Hospital to undergo an X-ray. Because the images needed to be forwarded to a specialist, the person was advised to save them on a USB drive as a precaution, so they would not have to travel back and forth between hospitals.

Following this recommendation, the individual purchased a new USB drive from the hospital, which was not supposed to contain any other data.

However, upon arriving home and reviewing the medical data saved on the drive, the person was surprised to find not only their own information but also the health data of several other patients.

This did not stop at patients' names, personal identification codes and procedure dates; the files also included details such as patients' medical histories.

Because this kind of sharing of personal data seemed unusual, the individual did not examine the contents of the folders more closely. As a result, there may have been even more sensitive information on the device.

An image sent to ERR shows that the oldest X-ray file on the USB drive dates back to 2019. In addition, for some patients, the records indicate exactly what body part was imaged. To protect individuals' personal data, names and personal identification numbers have been redacted.

Hospital unable to explain the mix-up

Providing patients with X-ray images on a USB drive is standard practice at LTKH, according to the hospital's communications specialist, Virkko Lepassalu.

Lepassalu said this is only done at the patient's request — for example, if the patient is continuing treatment at a private clinic, receiving care abroad or seeking a second opinion outside West Tallinn Central Hospital.

"If a patient wishes to take X-ray images with them on a USB drive, a previously unused USB drive is provided at LTKH," Lepassalu said.

Lepassalu was unable to explain how other patients' personal and health data ended up on the device, adding that the hospital cannot begin an investigation until the patient files a formal complaint.

According to the Data Protection Inspectorate (AKI), the presence of another patient's data in the possession of a third party is unacceptable and likely indicates a breach of personal data protection requirements.

"A healthcare institution must have clear and functioning procedures for how patients' health data is released. All possible risks must be mitigated, including the possibility that other patients' data may accidentally be stored on the same data carrier," explained AKI public relations adviser Maire Iro.

--

Follow ERR News on Facebook and X and never miss an update!