The email account of a Hiqa employee was hacked and access was gained for a number of hours.
Spam-type emails were sent to several recipients and it was reported to the Data Protection Commissioner.
According to freedom of information files, it's one of 22 data protection breaches the health watchdog has experienced since the beginning of last year.
Three of these were reported to the Data Protection Commissioner.
Stephen McMahon, from the Irish Patients Association, says last September's email hacking was a worry.
"It's important now that HIQA takes measures to ensure that no employees email accounts get hacked," he said.
"It's important to learn from the other examples of breaches in data protection that were not necessarily reported to the Data Protection Commissioner."
Hiqa says it takes its responsibilities under GDPR very seriously and has procedures in place to ensure it complies with data-protection obligations.