Advertisement

We need your help now

Support from readers like you keeps The Journal open.

You are visiting us because we have something you value. Independent, unbiased news that tells the truth. Advertising revenue goes some way to support our mission, but this year it has not been enough.

If you've seen value in our reporting, please contribute what you can, so we can continue to produce accurate and meaningful journalism. For everyone who needs it.

Shutterstock/igorstevanovic

Tusla suffers 23 'high risk' data breaches - including stolen files and loss of devices - since last year

The vast majority of the cases involved an “employee error or omission”.

THE CHILD AND family agency Tusla has suffered over 200 data breaches in the space of just over a year and a half including 23 that were classified as “high” risk.

The cases included the loss of an unencrypted device, unauthorised access to personal data, files getting lost or stolen, and deliberate disclosures of sensitive information.

A detailed breakdown of the cases show there were 71 breaches in the second half of 2018 and a further 130 incidents last year.

The breaches were broken down into four risk categories, ranging from no risk at all up to high.

Altogether, 23 of the incidents were classed as “high” risk, a further 53 deemed medium risk, and 123 categorised as low risk. A further two were said to have had no risk attached.

The vast majority of the cases – a total of 163 out of 201 – involved an “employee error or omission”.

However, one incident involving an “intentional act” by an employee was recorded as were seven external incidents involving “intentional” disclosures.

In one case, a contractor working for Tusla was also responsible for an intentional data breach according to records released under the Freedom of Information Act.

Of the just over two hundred cases, forty seven were down to an error involving sending data to the incorrect email.

Another fifty two cases involved postal address mistakes and nineteen breaches were described as a “record shared in error”.

Four breaches involved “system misuse” and thirteen cases were incidents where records were incompletely redacted and contained more private information than they should.

Of the 23 cases categorised as “high risk”, the majority involved employee error or omission but two were described as involving an “external intentional act”.

Geographic location was only available for the 2019 data and it showed the majority of breaches took place in Dublin.

Twelve were reported at Tusla headquarters last year while 15 were recorded in the Dublin North area.

The highest overall figure was the sixteen breaches reported in the country’s Mid-West region while just one breach was listed for each of Mayo, Kerry, and North Dublin.

Tusla has been levied with two fines by the Data Protection Commissioner already this year.

The latest case related to a breach involving unauthorised disclosure of information to an alleged abuser, which was subsequently posted to social media.

In the other case, Tusla was fined €75,000 for three separate breaches, one of which involved the accidental disclosure of contact and location data of a mother and child to an alleged abuser.

The two other cases involved disclosure of data about children in foster care to a grandparent and an imprisoned father.

A spokeswoman for the agency said they handle 60,000 referrals to child protection and welfare services each year and are responsible for a further 6,000 children in care.

“The volume of data Tusla deals with on a daily basis, and the complexity and sensitivity of much of this data, means that on occasions when breaches regrettably do occur, that this may have a significant impact on the people involved,” she said.

“We are acutely aware of our responsibilities in relation to this very sensitive data, and take all breaches extremely seriously.”

She said all breaches were reported to the Data Protection Commissioner within 72 hours and every measure possible was taken to retrieve the information.

Tusla also said they had appointed a new data protection officer late last year, ran significant training programmes, were rolling out an awareness campaign, and actively building expertise.

Readers like you are keeping these stories free for everyone...
A mix of advertising and supporting contributions helps keep paywalls away from valuable information like this article. Over 5,000 readers like you have already stepped up and support us with a monthly payment or a once-off donation.

View 9 comments
Close
9 Comments
This is YOUR comments community. Stay civil, stay constructive, stay on topic. Please familiarise yourself with our comments policy here before taking part.
Leave a Comment
    Submit a report
    Please help us understand how this comment violates our community guidelines.
    Thank you for the feedback
    Your feedback has been sent to our team for review.

    Leave a commentcancel

     
    JournalTv
    News in 60 seconds