Data breach of medical information from West Australian Government laboratory
August 16, 2017 |
Human error, frailty or just plain old fashioned misbehaviour remains a huge problem for maintaining data security. As a recent Beazley report on data breaches highlighted that while ransomeware attacks attract the headlines accidental acts or omissions are a major cause of data breaches. They account for 30% of breaches, slightly behind the hacking and malware attacks. In the healthcare sector accidental breaches account for 42% of the incidents. And much of that is preventable with proper protocols, systems and regular training and auditing.
There is a real but manageable problem of some employees misusing personal information of others for emotional, as in non financial, reasons. That often happens in the financial sector with bank employees checking on financial records of love interests or rivals (see the Canadian Court of Appeal decision of Ontario case of Jones v Tsige), family members or just a bit curious (see article on 11 August about a midwifrey assistant in UK who spied on 29 patients’ medical records because she was “nosy” and passed them onto others). The humiliation and distress caused by such breaches is acute and well recognised.
The West Australian in its report Love rival in PathWest privacy breach reports on a very significant data breach with an employee of PathWest divulging confidential medical test results of a romantic rival to her ex husband in that love triangle. The victim only found out about the breach 18 months after it occurred, in August 2014, when she separated from the man. The breach was particularly egregious because it appears that the leaker/ex wife suggested that her ex husband see a doctor and obtain a course of antibiotics. The implication is clear, the victim had a sexually transmitted disease.
The story highlights the importance to secure data, record access to that data, put in place restrictions on its ability to be downloaded and record any downloading of that data and, most importantly, have proper training. Also having a regulator who can investigate and punish breaches is important. Which is not the case in Western Australia. West Australian public agencies are not subject to the Privacy Act 1988. There is no dedicated privacy and data security legislation in West Australia.
Just on the limited information in the article there is a reasonable prospect of a breach of confidence action against Pathwest at least. It was responsible for maintaining the confidentiality of a laboratory test. The last superior court decision involving breach of confidence in Australia was the West Australian decision of Wilson v Ferguson so it is not an area of law unknown to the bench.
The article provides:
A female PathWest employee divulged confidential medical test results of a romantic rival to the man in their love triangle.
In the latest scandal to hit the State Government-run laboratory, PathWest has confirmed the privacy breach amounted to misconduct.
It is giving all staff “refresher training” in ethics but has refused to divulge the employee’s punishment, citing confidentiality.
The revelations are the latest headache for the trouble-plagued health agency which has been under investigation by the Public Sector Commission since April over the mishandling of DNA material that resulted in a wrongful burglary conviction.
Public servant Suzanne, 46, said she felt “humiliated” after a man with whom she had been in a relationship told her that his estranged wife, the PathWest employee, had divulged her private pathology test results to him.
Suzanne said the woman told her estranged husband to see a doctor and obtain antibiotics, implying that the results showed evidence of a sexually transmitted disease, which was false.
Suzanne said the privacy breach occurred in August 2014 but the man did not tell her about it until January last year, 18 months after she and the man split up.
The man and the PathWest employee had been separated since November 2013.
“She had told him of my results before I had even heard them from my doctor,” Suzanne said.
“Of course this rocked me to the core. I was extremely upset.”
Suzanne demanded reassurance from PathWest that her medical records had not been compromised before or since.
PathWest replied in June last year, saying “appropriate action” had been taken against the employee consistent with WA Health’s misconduct policy, without giving details.
“In order to protect the interests of all parties, further information pertaining to the investigation and any associated disciplinary outcomes is confidential,” it wrote.
Health Minister Roger Cook wrote to Suzanne last week saying the matter had been managed in line with relevant policy, leaving her dismayed.
“I should know what sort of penalty she received, and anecdotally from her former husband I know she has retained her position in PathWest, albeit with some minor disciplinary action,” Suzanne said.
“This woman should not be employed by the WA public sector in any capacity in my view. I don’t believe that anybody should suffer the type of humiliation that I went through.
“I had to subsequently have more pathological tests done and it broke me down at the prospect that she would once again have access to my medical information.”
A Health Department spokeswoman said last night PathWest reported the breach to the department immediately after receiving it. “The matter was also appropriately reported to the Corruption and Crime Commission,” she said.
[…] Data breach of medical information from West Australian Government laboratory […]