Data breach at the Alfred by curious pharmacist is just another in a long line of data breaches in the health sector
November 2, 2023 |
The Health Industry is notorious for its data breaches. In Australia, United States, the United Kingdom and Europe. It us a chronic problem with many causes; dreadful culture, especially amongst medical staff, poor systems, poor training, large numbers of staff with many ways of accessing data and such a rich load of personal information concentrated on one system. The information we are expected to provide to doctors, hospitals, ambulance providers, respite centers..the list goes on. In many cases the information is sufficiently broad and detailed to commit identity theft. The Age reports in ‘Curious’ pharmacist spied on patient records at The Alfred that an employed pharamacist accessed the personal information of 7,000 patients over a 4 year period without authorisation. That access included viewing the records of fellow staff members. This is a depressingly common occurence, which I post on regularly such as August last year with Health advisor in the UK fined for unlawfully accessing patient records. And in NSW such conduct resulted in a nurse having her registration cancelled. and UK Information Commissioner prosecutes unauthorised access to personal information..part of a growing problem just by way of example. The Guardian reported last year that 24 UK doctors were censured in a 5 year period for medical record breaches. Earlier this week Ontario hospitals suffered a data breach as a result of a cyber attack. That data breach was caused by a ransomware group Daixin team and it is leaking the data. Last Friday a Medibank owned health insurer, ahm, had to take down its online insurance quote form because personal information entered by one person was made available to another when the latter tried to fill out the form.
The Alfred Health released a statement today about the privacy breach. There is not too much in the way of good corporate citzenry involved in this release. The investigation began in June. The pharmacist was subsequently sacked.
The Alfred Health’s statement provides:
Alfred Health chief executive Prof Andrew Way has issued a written apology to more than 7000 patients after their medical records were viewed by a healthcare worker while not directly involved in their care.
Prof Way said accessing patient information without a direct clinical reason is a breach of privacy and completely unacceptable.
“We deeply value the relationship we have with our patients, and the trust they put in us, and we unreservedly apologise for the healthcare worker’s misconduct,” Prof Way said.
“We have written to every patient whose medical record was accessed without authority, and we have invited them to call our dedicated hotline if they would like additional information or support.”
While cybersecurity experts reviewing the privacy-matter found no evidence of download or use of patient information, the former worker’s behaviour was a fundamental breach of professional standards.
“What began as healthcare worker’s legitimate professional access to the electronic medical records system morphed to include access for personal curiosity,” he said.
“As soon as this behaviour was confirmed, we terminated their employment and referred the matter to both the Australian Health Practitioner Regulation Agency (Ahpra) and the Australian Digital Health Agency.”
There is no evidence the, now, former employee kept a copy of any data, shared data online or otherwise misused patient data.
The health service is looking at whether there is technology available to improve the detection of unusual behaviour in the electronic medical record system, while still ensuring seamless access for time critical patient care. ?
The last sentence is the most apt, having technology and systems to improve detection of unusual behaviour. Of course there are such programs and of course they operate in the health sector. That it took the Alfred 4 years to detect unusual behaviour, if that is what happened, hardly inspires confidence. It beggers belief that there was no rolling audits of data usage.
The Age article provides:
About 7000 Alfred Health patients are victims of a privacy breach after a pharmacist working at Victoria’s leading trauma hospital accessed personal medical records without authorisation.
Alfred Health wrote to every patient affected in a letter sent on Monday, seen by The Age, which said the pharmacist was dismissed after an investigation, launched in June, found they had used the hospital’s electronic database to view records over four years without a clinical reason to do so.
The letter said the healthcare worker’s motivation couldn’t be determined, but they had told investigators they were “curious to see records”, which included those of fellow staff members.
Information viewed included patient names, birthdays, Medicare numbers, home addresses, next-of-kin details, and medical information such as diagnoses, clinician notes, test results and treatment particulars. No financial information was accessible.
Alfred Health said cybersecurity experts had determined the risk of personal information being misused was “extremely low”.
Professor Andrew Way, chief executive of Alfred Health, apologised to affected patients.
“Accessing patient information when not directly involved in a patient’s care is completely unacceptable, and we unreservedly apologise for the healthcare worker’s misconduct,” Way said in a statement.
“There is no evidence that the former employee kept a copy of any data, shared data online or otherwise misused patient data. Out of an abundance of caution, we will continue to monitor this situation, and we will let patients know if this changes.
“To make sure this doesn’t happen again, we are introducing additional monitoring that will better detect unusual behaviour in our electronic medical record system, while still providing seamless patient care.”
The Australian Health Practitioner Regulation Agency has been contacted for comment after Alfred Health said it had referred the breach to them.
The Australian Digital Health Agency and the Office of the Australian Information Commissioner were also notified.