Data breaches in West Australian health systems
September 2, 2018 |
Staff accessing personal information is a chronic problem in the health, police and financial services sector. In Victoria the Victoria Police’s Leap data base, which contains personal information of most Victorians, has been misused on a depressingly regular basis with inadequate sanction for those breaches. Only in the financial services sector does enforcement action tend to be swift and decisive.
In the health sector the culture is poor and breaches tend not to result in significant sanction. And the private health sector is most vulnerable to data breaches. And there are so many ways that those in the health sector can cause data breaches including in the last week a mailing error which resulted in releasing children’s health information in Missouri, in the UK a hospital worker accessed the medical records of her boyfriend’s ex partner. She used the details obtained to text obscenities to the victim of this privacy breach. Given the nature of the breach and the subsequent misuse of the information it is not surprising that the health worker is no longer employed by the NHS. And a nurse at the Texas Children’s hospital was fired after posting on social media information about a rare measles case involving a boy aged between 1 – 3 years of age. All of these cases involved human error at increasing levels of stupidity and incompetence.
Today there is another confirmation that the problem in the health sector continues unabated in Australia is a report from Perth Now that between 2014/15 and 2016/17 there were 40 breaches of patient confidentiality under West Australia’s health Act. The actual number of data breaches are likely to be greater given there are ample opportunities in the health industry to view patient records in paper form or through computers whose records are often easily accessed. On a not unrelated note the WA State Auditor General recently found that 26% of passwords used by public servants were weak, including 5,000 of 234,000 whose password included “password” while 200 actually used just “password.” 1,464 used password123 and 813 used “password1”. When 1 in 4 WA public servants have weak passwords there really is no need for highly skilled computer hackers. It is likely that such poor understanding of privacy and data security is not confined to proper passwords.
The Perth Now article provides:
DOZENS of snooping hospital staff have been caught accessing patient medical records without proper authority.
The 40 breaches of patient confidentiality under the State’s Health Services Act occurred between 2014-15 and 2016-17.
Not a single staff member lost their job as a result of the privacy breaches.
Discipline involved counselling, written warnings, a formal reprimand, “improvement action” and training.
The highest number of cases, 14, were at South Metropolitan Health Service, which includes Fiona Stanley, Rockingham, Fremantle and Murray District hospitals.
Scandal-plagued North Metropolitan Health Service, which includes Sir Charles Gairdner, King Edward Memorial and Graylands hospitals, as well as Joondalup Health Campus, had 13 incidents, including eight alone in 2016-17.
The remainder were at East Metropolitan Health Service (10 breaches of patient confidentiality), Children and Adolescent Health Service (two) and WA Country Health Service (one).
This information on the cases was provided to The Sunday Times only after Health Minister Roger Cook was made aware the Department of Health repeatedly refused to provide details.
A WA Health Department spokesman said the 40 breaches of patient privacy “occurred in hospitals across the State, with the majority committed by frontline and clerical staff”.
“The Department of Health takes the privacy and security of information very seriously, with strict mechanisms in place to protect the privacy of our patients,” he said.
The spokesman said although termination of employment was a disciplinary option, it had not been applied to these 40 cases.
He said there was also an option for any cases regarded as serious misconduct to be referred to the Public Sector Commission or the Corruption and Crime Commission.
Australian Medical Association WA president Dr Omar Khorshid said reluctance by DOH to be transparent was “just another example of cultural issues” surrounding secrecy within the public health service.
“DOH should be a more willing participant in being transparent and not be dragged kicking and screaming,” he said.
Dr Khorshid said it was important for staff to be properly disciplined and for their colleagues to see them held to account as a deterrent for breaking the rules.
The unwillingness to be transparent is in stark contrast to the South Australian Government, which this week decided to publish quarterly the details of SA Health staff inappropriately accessing patient records.
The SA move came after it was revealed earlier this year that 21 employees were caught snooping and two were fired. Another three staff have since been fired.