Personal data of residents at St Vincent de Paul Residence, in Luqa, was for some time available online and also “mistakenly” e-mailed to all staff members, Times of Malta has learned.

The Office of the Data Protection Commissioner has now launched an investigation into the mishap, which occurred this week.

Sources told the newspaper a file containing the personal data of hundreds of inmates was “mistakenly” e-mailed to all employees at the elderly people’s home. For some time, the information was also available on the St Vincent De Paul Residence website.

The published data included names, ID card numbers, dates of birth, addresses and information on when and how they were admitted and the ward they were in.

A spokeswoman for St Vincent De Paul Residence confirmed the data breach. Describing it as “an incident”, she said “personal data was circulated as a mail shot to St Vincent de Paul employees and has been reported to the Commissioner for Data Protection”.

She pointed out that “an inquiry board would be looking into the matter and then decide whether any action should be taken, if necessary.”

It was Times of Malta that informed the Office of the Data Protection Commissioner about the data breach on Wednesday. The following day, the elderly people’s home management filed a report with the Commissioner.

“We confirm that, on Thursday, St Vincent De Paul notified the Commissioner for Data Protection of a personal data breach,” a spokesman said.

He said that preliminary information indicated that an electronic file containing the patients’ personal data was “mistakenly” e-mailed by a member of staff to all employees. The disseminated information did not include medical details, he noted.

Personal data breaches are classified in different categories depending on their nature and gravity, according to data protection laws. 

They noted that “although this incident falls within the category of ‘internal non-malicious’, the Commissioner takes all data breaches notified with his Office very seriously and has launched an investigation to establish the facts”.

The spokesman said the commissioner had no evidence that the data was available online adding that such an eventuality would make the matter more serious.

Senior officials at St Vincent De Paul Residence told the newspaper they were not surprised at what happened given the situation there.

“Management inside this institution is at an all-time low with many departments at the residence in complete disarray,” a senior employee said.

“Mismanagement, particularly in finances, is the order of the day and no one seems to be responsible,” he added. The government has, so far, not made any official announcement on the data breach. According to the law, all those affected by the breach have to be informed.