Peter A Clarke

The Health Sector is complex and data driven.  From a single doctor’s surgery to large teaching hospitals the amount of data collected is enormous.  There is highly sensitive personal information in a patient’s medical file and their financial information with billings details, medicare and health insurance information and employee records.  There is a trove of information kept on site.  Often medical information is accessible from multiple sources and a many parties such as doctors, nurses and specialists needing access.  Unfortunately poor data storage and access policies and inadequate training means that many other staff can and sometimes do access sensitive personal information.  Then there is the problem with data disposal.  Masses of personal information is kept in paper form and the quality of the disposal is all too often haphazard.

This is amply highlighted by recently reported incidents including:

• In June 397 medical records snooped at Hamilton General Hospital an employees of the Hamilton General Hospital in Canada snooped on the medical records of 397 patients with reason
• in University of New Mexico Hospital had a data breach involving 2,800 patients whose personal information was sent to a wrong address.
• the medical records of 24 patients were found dumped in a city bin;
• in May in the USA a hospital apologised for releasing 14 video clips involving patients including women undergoing obsteteric procedures while in New York in April the New York Presbyterian hospital settled a claim brought by the Department of Health and Human Services for $2.2 million for filming patients without consent while they were receiving urgent medical care
• in April hackers broke into a large hospital chain, MedStar, even after it was made aware of software flaws from at least 2007 with notices from the government.

 And there are other instances. In Australia there is no mandatory data breach notification so it is difficult to assess the extent of data breaches in Australia.  The media is far less interested in this subject than overseas.

Health information is defined as sensitive information under the Privacy Act. Notwithstanding this sensitivity the culture within health centres is ambivalent towards data security and the quality of the training and commitment to compliance with data protection laws very poor.