DataBreaches.net

DataBreaches.net

The Office of Inadequate Security

Menu
  • Breach Laws
  • About
  • Donate
  • Contact
  • Privacy
  • Transparency Reports
Menu

NZ privacy commissioner finds that physician properly mitigated harm following a breach

Posted on September 18, 2013 by Dissent

Case Note 248601 [2013] NZ PrivCmr 4 : Medical practice mitigates future harm after data breach

A doctor working in a suburban medical practice had his car broken into and bag stolen. The bag contained a USB stick holding the personal information of a number of patients, including the complainant. The data detailed the complainant’s first and last names.  Also included were details of their prescribed drugs and medical diagnosis.

One of the doctor’s patients complained to us.

The medical practice acted quickly and fulfilled all four key steps an agency should follow in response to a privacy breach. These steps aim to contain the breach and reduce harm to the subjects of the breach.

Breach containment and preliminary assessment

Following a data breach, an agency must take immediate steps to contain or limit it. This includes designating an appropriate individual to lead the initial investigation and determine who needs to be notified.

The medical practice received news of the theft the following day and the manager immediately made plans to contact the affected individuals. Our complainant was informed of the breach by his general practitioner and offered a meeting with the manager to discuss the situation.

Evaluation of the risks associated with the breach

An appropriate evaluation includes considering what personal information was involved, establishing the cause and extent of the breach, considering who was affected by the breach and whether those affected might be harmed.

The manager noted that the only identifying details in this case were the complainant’s first and last name. He had frequently changed address in recent years and did not have a listed telephone number.  The manager believed the main harm was that the complainant may lose trust in the medical practice. However, the complainant had continued to use the agency’s services since the breach.

Notification

The patients were notified as soon as reasonably possible. The manager of the medical practice met the complainant to discuss the theft and apologised for the loss of his personal information.

Prevention

As a result of the breach, the medical practice took steps to increase the security of any data that was to leave the premises. A review was conducted of their patient information security policy.  Immediate changes were drafted for sign off by the practice’s Board.

The medical practice purchased new encrypted USB sticks immediately after the data breach, to be used where data is to leave the premises. An active register containing a list of the staff who are to use these keys was implemented and an agreement drawn up for staff to sign, acknowledging that they are responsible for the safety of the information.

Staff were advised both verbally and electronically of the new process and the medical practice ensured there was a transparent communication process with the staff about this incident.

The complainant sought damages as a result of the breach.  However we were not satisfied that he suffered harm that warranted damages.

We also considered the medical practice had taken appropriate steps in the circumstances.

See our privacy breach guidelines at:  http://privacy.org.nz/news-and-publications/guidance-notes/privacy-breach-guidelines-2/

 

Related Posts:

  • AU: Privacy update: in for a penny, in for a pound —…
  • Update: Jersey City doctor's office where…
  • San Francisco Doctor Accepts Bitcoin to Protect…
  • NZ: Case note 269784: Employee repeatedly accessed…
  • UK: GP practice in County Armagh warned after…

Post navigation

← NZ insurance firm settles over privacy breach
UK: Newcastle Citizen’s Advice Bureau data breach concern →

Sponsored or Paid Posts

This site doesn’t accept sponsored posts and doesn’t respond to requests about them.

Have a News Tip?

Email:

Breaches[at]Protonmail.ch
Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Telegram: @DissentDoe

Browse by News Section

Latest Posts

  • Update: Cardiovascular Consultants Ltd. ransomware attack reportedly affected 500,000 patients, guarantors, and staff
  • Data breach by Addenbrooke’s Hospital reveals patient information
  • Millions of patient scans and health records spilling online thanks to decades-old protocol bug
  • Cybersecurity: Federal Agencies Made Progress, but Need to Fully Implement Incident Response Requirements (GAO Report)
  • Hackers Exploited ColdFusion Vulnerability to Breach Federal Agency Servers
  • CBIZ KA Notice of Data Privacy Incident (Prime Healthcare)
  • Seeking clarification on Maine’s data breach notification statute
  • East River Medical Imaging notifies 605,809 patients of breach

Please Donate

If you can, please donate XMR to our Monero wallet because the entities whose breaches we expose are definitely not supporting our work and are generally trying to chill our speech!

Donate- Scan QR Code   Donate!

Social Media

Find me on Infosec.Exchange.

I am also on Telegram @DissentDoe.

RSS

Grab the RSS Feed

Copyright

© 2009 – 2023, DataBreaches.net and DataBreaches LLC. All rights reserved.

HIGH PRAISE, INDEED!

“You translate “Nerd” into understandable “English” — Victor Gevers of GDI Foundation, talking about DataBreaches.net

©2023 DataBreaches.net