Pound Road Medical Centre: Own motion investigation report by Privacy Commissioner

July 15, 2014 |

The Privacy Commissioner has conducted an own motion investigation into Pound Road Medical Centre. The investigation applied to the Privacy Act prior to the amendments taking effect on 12 March 2014.  

FACTS

On 23 November 2013, a shed located at 16 Amberley Park Drive, Narre Warren South was broken into.  There were boxes of medical records located in a locked shed.  During the break in the boxes, and therefore the documents, were compromised.  The medical records were created when PRMC operated as a medical centre at the site.  PRMC ceased operating the medical practice at the site from 6 April 2011, and since this date has conducted its practice from new premises.

In about October 2012, the records were transferred from a locked room inside the site to the shed so that renovations for sale of the site could occur. The  shed door was locked with three padlocks. PRMC believed that all the paper-based health records stored at the site were transferred to a locked store at its new premises.

A representative from PRMC initially visited the site two to three times a week and later once a week for purposes of maintenance, repairs and renovations to prepare the site for sale.

The Office of the Australian Information Commissioner (OAIC) was notified that there were boxes of unsecured medical records at the site on 25 November 2013.

The personal information compromised in the data breach consisted of:

  1. patients’ ‘identifying particulars’, specifically full name of patient, last address of the patient, date of birth, Medicare number and treatment details/progress notes
  2. a document completed by patients to include their name, date of birth, country of birth, marital status, occupation, address and phone number
  3. results of medical investigations, correspondence with other medical and health practitioners, discharge summaries and other documents from hospitals
  4. payments to medical practitioners
  5. staff pay records
  6. batched Medicare vouchers
  7. paid invoices, and
  8. accounts to third parties (such as WorkCover and the Victorian Transport Accident Commission) for services to PRMC patients.

PRMC estimated there were paper based health records for approximately 960 patients stored in the shed at the site but that did not include information about individuals other than PRMC patients whose personal information was included in the documents. The majority of the health records compromised related to individuals who ceased to be active patients of the medical practitioner who conducted the practice prior to 2004.

Prior to the data breach PRMC reviewed paper-based patient health records every two years to identify:

  • whether the complete paper record has been scanned into the patient’s computer record (and if not, any remaining documents are scanned to the computer record, and then the paper based file is destroyed by secure shredding by PRMC’s contractor), and
  • records which are eligible to be destroyed in accordance with the Health Records Act 2001 (Vic). Particularly, these records are reviewed for the last activity date, and if eligible for destruction, recorded and placed in a secure bin which is collected by PRMC’s contractor for secure shredding.

The last review of paper based records prior to the data breach occurred in early 2011.

DECISION

As the breach occurred prior to 12 March 2014 the National Privacy Principles (NPPs) applied, rather than the current Australian Privacy Principles.  The relevant NPP was NPP 4 (Data Security) , in particular NPP 4.1 and 4.2 which provide:

  • NPP 4.1 required organisations to take reasonable steps to protect the personal information they hold from misuse and loss and from unauthorised access, modification or disclosure, and
  • NPP 4.2 stated that, if an organisation no longer needs personal information for any purpose under NPP 2, then the organisation must take reasonable steps to destroy or permanently de-identify it

NPP 4.1 – Data Security

Health information is sensitive information requiring a higher level of privacy.   Accordingly the OAIC stated that under NPP 4 it was reasonable for an organisation to take additional steps to protect health information than may be required to protect other kinds of less sensitive personal information.

While PRMC stated  the personal information in question did not relate to current patients, personal information that is not current or that does not relate to current patients may still cause harm in the event that it is compromised.

The Commissioner found that more stringent steps were required of PRMC to keep this information secure than may be required of organisations that do not handle sensitive information and that PRMC failed to meet the requirement to keep the sensitive information it held secure.

The Commissioner found that reasonable steps that an organisation should undertake under NPP 4.1 includes:

  • monitoring the movement of physical files
  • regularly auditing (or stocktaking) the content of files, including when they are moved, to ensure:implementing physical access controls, such as issuing a limited number of keys or passes to areas in which the information is stored
  • knowledge of the contents, and
  • that any information that is no longer required can be securely disposed of or de-identified, in accordance with NPP 4.2 (and currently APP 11.2)
  • monitoring and guarding the location in which the information is stored, and
  • using a secure means of storage, such as a safe, or a secure or locked room in monitored, guarded or staffed premises.

The Commissioner found that PRMC did not take reasonable steps in relation to the compromised personal information, there being no circumstances in which it would be reasonable to store health records, or any sensitive information, in a temporary structure such as a garden shed.  It was an exacerbating factor that the shed was not located at PRMC’s premises, which meant that it was not in a position to effectively monitor access to the shed and that it did not identify or deal with health records stored at the site for a period of more than 2 years following the relocation.  It was a further relevant factors PRMC did understand that the records stored in the shed also contained personal information.

NPP 4.2 – Data Retention and de identification

In order to satisfy the requirements of NPP 4.2, ‘reasonable steps’ include:

  • procedures; and
  • adherence to those procedures.

PRMC did not have systems in place to identify all personal information that was not being used or disclosed for a permitted purpose at the relevant time.

While PRMC believed that the relevant documents comprised information other than patient health records those records also contained personal information. Accordingly, PRMC’s obligation to securely destroy or de-identify personal information that was no longer required would still have applied to the records it knew were in the shed.

As the majority of the records related to patients who ceased to be active patients prior to 2004 they were at least eleven years old.  This indicated a failure by PRMC to identify and securely destroy or de-identify personal information that was no longer being used or required.

The Commissioner found that prior to the data breach PRMC failed to take reasonable steps to destroy or permanently de-identify personal information it held that was no longer in use or needed, in contravention of NPP 4.2.

The Commissioner also noted PRMC’s advice above that the majority of the records identified in the shed following the data breach related to patients who ceased to be active patients prior to 2004. The majority of records were therefore at least eleven years old, which also indicates a failure by PRMC to identify and securely destroy or de-identify personal information that was no longer being used or required.

For the reasons above, the Commissioner considered that prior to the data breach PRMC failed to take reasonable steps to destroy or permanently de-identify personal information it held that was no longer in use or needed, in contravention of NPP 4.2.

 Other matters

Following the data breach, PRMC  said it:

  •  moved all documents that were previously stored in the garden shed to its new premises, in a locked room within the main practice area. The practice uses digital access controls and is monitored by external provider security cameras.
  • developed a data breach response process.
  • will now review paper based patient health records annually to identify whether they may be de-identified or securely destroyed.

and following the Commissioner’s recommendation it is also:

  • undertaking a risk assessment with respect to their records management and privacy practices and intends to engage a specialist privacy consultant to undertake a further risk assessment, help ensure adherence to privacy policies and procedures, and undertake periodic reviews of data security processes;
  • organising privacy training for all staff including particularly partners, doctors and any other health professionals;
  • developing a data breach response plan to adequately reflect its obligations under the Privacy Act and APPs, and to enable it to meet those obligations in the event of a future data breach;
  • reviewing its privacy policy; and
  • implementing measures to review paper based patient health records annually to identify whether they may be de-identified or securely destroyed.

The Commissioner noted that PRMC did not notify the OAIC or the individuals affected about the data breach. PRMC correctly noted that  ‘it was not necessary to notify those individuals whose health records had been retrieved from the shed’.  To which the Commissioner pointedly noted:

Notifying the OAIC and affected individuals as appropriate can be a useful step in responding to a data breach.The Commissioner encourages notification where there is a real risk of serious harm to affected individuals, and particularly where notification may assist individuals to mitigate the potential misuse of their personal information by enabling them to take steps to protect themselves.

Based on the information from PRMC about its review and remediation of the data breach and PRMC’s ongoing implementation of recommendations made by the OAIC, the Commissioner decided to close the investigation.

Statement to the media

The Privacy Commissioner issued a statement in relation to the own motion investigation, stating:

The Australian Privacy Commissioner, Timothy Pilgrim, has found a medical centre in Melbourne in breach of the Privacy Act 1988 by failing to take reasonable steps to secure sensitive medical records.

The Office of the Australian Information Commissioner’s (OAIC) investigation established that Pound Road Medical Centre (PRMC) stored medical records of approximately 960 patients in a locked garden shed at premises no longer operated or staffed by them. In November 2013, the shed was broken into and the medical records were compromised.

The Privacy Commissioner noted the seriousness of the case particularly as the records contained sensitive personal information such as full name, address, date of birth, Medicare number, treatment details including results of medical investigations and discharge summaries.

‘The Privacy Act requires organisations to take reasonable steps to protect the personal information of their customers. I can’t think of any circumstances in which it would be reasonable to store health records, or any sensitive information, in an insecure temporary structure such as a garden shed,’ Mr Pilgrim said.

The Privacy Commissioner also warned organisations about the importance of secure document storage.

‘Physical security of hard copy documents is just as important as digital security. There is no point in converting paper records to a secure digital system, and then leaving the paper files unsecured. If paper records are no longer needed, they should be disposed of securely,’ Mr Pilgrim said.

The majority of the medical records related to individuals who stopped being patients of PRMC before 2004. The Privacy Act requires organisations to securely destroy or de-identify personal information that they no longer require.

‘If organisations don’t need to keep personal information for a legal purpose, then they must have a system in place to dispose of it securely. Get out the shredder or hire a secure document destruction service. If you don’t, you’re putting your clients at risk of identity theft or fraud, and your company at risk of enforcement action.’

ISSUE

It is important to realise that the Privacy Commissioner’s investigation was undertaken under the previous, relatively toothless regime.  To that end it is not prudent to predict the approach the Privacy Commissioner will take under the new provisions.

Viewed objectively this breach of data security was very serious.  Health records are near the pinnacle of sensitive information.  A person’s health records are almost invariably keep secret from all but the patient, his or her treating health professionals and close family members.  The manner in which the records were kept was slipshod, inefficient and incompetent. Moving surplus documents around as part of a move is very common but it is important to keep track of where those documents are stored and what those documents are.  That PRMC didn’t realise until informed that the documents included medical records of almost a thousand former patients highlights its lack of processes.  Even on the basis of assuming that those documents were not medical records, as PRMC believed there would have been, on its own belief, personal information.  As with this type of data breach other compliance issues arise upon closer investigation.  Here there was no processes to review and destroy or de identify documents for which there was no further use or any legal requirement to keep.

PRMC clearly had not privacy architecture in its processes and practices. The remedial action it was taking goes some way to deal with future problems.

If this breach had occurred in the United Kingdom and the investigation had been undertaken by the Information Commissioner’s office it is highly likely that a fine would be the outcome and and enforceable undertaking under the Data Protection Act if its previous practice is any guide (and upon which I post regularly). In the US context the consequences would have been sever both with the FTC, state regulators and probable civil litigation.

The findings has attracted media attention in the form of an Age article titled Medical centre in Narre Warren South breached privacy laws by keeping files in shed.  This sort of coverage causes reputational harm, a factor all organisations should bear in mind.

One Response to “Pound Road Medical Centre: Own motion investigation report by Privacy Commissioner”

  1. Pound Road Medical Centre: Own motion investigation report by Privacy Commissioner | Australian Law Blogs

    […] Pound Road Medical Centre: Own motion investigation report by Privacy Commissioner […]

Leave a Reply