Major privacy breach at Bay of Plenty DHB

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=10852380

The Bay of Plenty District Health Board has sacked a "trusted" staff
member for breaching the privacy of nearly 50 patients.

The staff member was sacked after the board launched a four-month
investigation following allegations the staff member had access to
clinical records and "used them for her own purposes".

The Bay of Plenty Times understands the staff member was accessing
private files and then discussing patient details in casual
conversation with other staff.

During the investigation the staff member remained employed at the
health board, working at the same desk and computer she used to access
the patients' files.

The district health board confirmed 48 patients were contacted and
advised their privacy might have been breached. The breaches occurred
over a four-year period.

District health board general manager governance and quality/privacy
officer Gail Bingham said the staff member committed "serious
misconduct", resulting in termination of their employment.

Ms Bingham would not comment on the staff member's name or the
department they worked in.

"Unfortunately a trusted employee with employment-related access to
clinical records has chosen to abuse their position and access the
system for their own purposes."

Until the investigation was completed no specific charges of serious
misconduct could be made and the staff member continued in their work
during that time, Ms Bingham said.

"However her access was closely monitored during this period to ensure
her access to clinical records was for legitimate work purposes only."

In the review the board matched every access to clinical records the
individual had in her role against those patients' attendance at/or
admission to hospital. The investigation identified 48 breaches and
the board is satisfied no further breaches occurred, Ms Bingham said.

A patient who received a letter last month informing her of the breach
said she still had questions about what had occurred.

"It was like we're investigating a breach of privacy, have a nice
day'. I was just like 'what the heck'. Why would this person want to
access my medical files? I don't know what she's looking at."

She said the breaches could be traumatic for vulnerable patients.

A district health board employee said she was concerned the board
failed to respond appropriately to the breaches.

"In that four-and-a-half months she was still there at her computer.
She could have still been delving into files," the source said.

"We don't know why she did it but she had a huge mouth."

The source said the woman brought up patients' details in conversations.

This raised concern among other employees about the type of
information the staff member had access to and management was
informed.

"It's just not fair," the source said.

"Too many people were affected and why should everyone else be under suspicion?"

The source did not want to be identified for fear of losing her job
but felt upset enough to speak out.

"I really think it needs to be brought out into the open. I think they
need to say sorry."

The letter sent to victims apologised for the breaches, saying the
staff member breached both the Privacy Code and the Bay of Plenty
District Health Board's own policy.

- BAY OF PLENTY TIMES
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.