There has been a new finding in an investigation by the Privacy Commissioner of New Zealand that is especially worth noting for it’s “small breach, big impact” value. Because the health agency is not named, it’s not clear to me whether this incident had been reported in the media and on this site previously:
The complainant, who had been employed by a large health agency, was notified by the agency that a former colleague of hers had been dismissed for accessing her health records without proper reason. The complainant and her former colleague had worked in administrative roles, but had access to health records and medical information.
The records ‘browsed’ by the complainant’s former work-mate included extremely sensitive emergency department and mental health information about the complainant. The complainant’s records were accessed on numerous occasions between 2012 and 2013. This showed a pattern of behaviour and gave meaning and context to some comments her former colleagues had made about her health while they worked together.
After finding out about this the complainant asked for an audit of access to her records so she could be sure no other staff she had worked with had inappropriately accessed her health information.
The access audit revealed a further instance of browsing of the complainant’s health information by another former colleague over the same time period. This was especially distressing for the complainant because it renewed the complainant’s concerns that her colleagues had treated her unfairly and had been sharing her sensitive health information with each other.
Rule 5 – Security safeguards
Rule 5 of the Health Information Privacy Code 1994 requires an agency to ensure reasonable security safeguards exist to prevent loss, unauthorised access or disclosure of the health information it holds.
Assessing what is reasonable depends on the sensitivity or confidentiality of the information involved and the ease with which safeguards could be put in place to protect the information. The agency’s current policies and practices, including any staff training, are also relevant.
Under rule 5, an agency has an ongoing responsibility to develop and maintain appropriate security safeguards for their information. System audits, staff training, policies and technology upgrades are some of the tools an agency can employ to help maintain a good privacy culture and ensure trust and confidence in the security and privacy of health information.
Inappropriate access to information by employees, called ‘employee browsing’, is a problem for many large agencies. It is important agencies take a proactive approach to information security and make continuing efforts to put in place and improve their security processes.
Although the health agency took a proactive, sympathetic and responsible approach to the interference with the complainant’s privacy, it had limited processes in place to catch inappropriate access to their files. The extent of the browsing and length of time before detection also indicated the safeguards in place were not adequate. The browsing took place over several months and was not an isolated incident. The fact that people she worked with were responsible heightened the complainant’s feelings of violation and humiliation.
In this case, the harm suffered by the complainant was ongoing and substantial. She experienced high levels of anxiety, nightmares, and was fearful of further browsing of her health information. The complainant also felt any future possible employment at the agency was impossible as not only did she feel her reputation had been damaged, she no longer trusted the agency.
Both the complainant and the health agency agreed to participate in a mediation facilitated by our Office. The mediation was successful and the health agency, following on from earlier apologies, provided a formal apology and agreed to provide financial compensation to the complainant for the harm caused by the interference with her privacy. The health agency had initiated an independent review of its health record audit process to reduce the risk of this happening again in the future and is implementing those changes.