Tusla Data Breaches: Security Lapses Expose Sensitive Information
Thousands of incidents reported, including impersonation and long-lost files
The Child and Family Agency, Tusla, has reported a concerning number of personal data breaches, with a significant number classified as “high-risk.” These incidents range from a deliberate impersonation at a children’s residential unit to the discovery of files missing for over two decades.
Impersonation Incident at Children’s Unit
In June 2023, an individual falsely posing as a Tusla employee gained unauthorized access to a residential unit for children. Using the credentials of an authorized staff member, the imposter remained overnight, accessing children’s personal data, case files, and employee records. The records reveal that this breach occurred with the “assistance of the ‘authorised operative’,” and other staff members were unaware of the imposter’s true identity.
The incident was reported to Tusla’s data protection unit and the Data Protection Commission three days later. A review found no indication that any service user was negatively impacted by this specific breach, which was categorized as a “high-risk” access control deficit.
Widespread Data Security Failures
Tusla’s records, released under the Freedom of Information Act, highlight a pervasive issue with data security. Between 2019 and July 2024, over 2,000 data breaches were reported. Nearly a quarter of these were deemed “high-risk.” The most common breaches involved emails sent to incorrect addresses, followed by instances of “information overshare,” where sensitive details of multiple individuals were inadvertently disclosed.
Long-Term File Loss and Abuser Data Disclosure
In a separate “high-risk” incident, files containing personal data were discovered at the private residence of a former Tusla staff member after being missing for 26 years. The files were originally taken home in 1998 for work purposes and were subsequently lost until their discovery in January of last year. Tusla had no access to these files during the period they were missing, hindering business needs that required their retrieval.
Another alarming breach allegedly occurred when details of a mother and child fleeing abuse were shared with their alleged abuser. David Hall, CEO of Sonas domestic violence charity, criticized Tusla for this incident, stating that the data of women and children escaping domestic violence was “not safe.” He has expressed dissatisfaction with the assurances provided by Tusla regarding the protection of this sensitive data.
Financial and Regulatory Consequences
The cost to Tusla due to personal data breaches since 2020 has exceeded €500,000. This includes €134,500 in damages and €177,164 in legal costs since 2022. Furthermore, the Data Protection Commission levied fines totaling €200,000 in 2020 for breaches of GDPR. These fines ranged from €35,000 to €75,000, with the DPC ordering Tusla to implement measures to ensure data security appropriate to the risk.
Increasing Breach Numbers and Ongoing Concerns
Despite regulatory action, the number of reported breaches has increased from 362 in 2020 and 2021 to over 400 annually in subsequent years. While Tusla reports a recent reduction in “high-risk” breaches, the Irish Council for Civil Liberties has voiced significant concern, stating that the volume of breaches raises serious questions about Tusla’s GDPR compliance and data protection policies. They urge the Data Protection Commission to thoroughly examine these figures.
A Tusla spokesperson acknowledged that breaches “occasionally and regrettably occur” due to the large volume of data processed. They emphasized that the agency takes all breaches seriously, acts swiftly to inform affected parties, and conducts thorough risk assessments. Tusla is implementing systematic reviews and updating training to mitigate future incidents.
Data from the U.S. Department of Health and Human Services shows that healthcare organizations reported 253 data breaches affecting over 100 individuals in 2023, highlighting that data security is a significant challenge across public services globally (HHS Breach Portal, 2023).
