UPDATE: ‘We want assurances’: Government pushed on whether patient data breaches have occurred elsewhere

UPDATED 3:45 pm: Health Minister Rachel Stephen-Smith has told the Legislative Assembly that there’s “absolutely no evidence” breaches of private patient data have occurred in any other area of Canberra Health Services.

Deputy Liberals Leader Jeremy Hanson demanded more answers about the extent of the breach after it was revealed on Thursday (23 March) that the records of 13 people accessing mental health services had been sent to the Australian Nursing and Midwifery Federation’s ACT branch.

Mr Hanson said it had been extremely difficult to find out exactly what had gone wrong.

“It is a possibility that if sensitive patient data has been provided in one area of health, it could well have been provided in other areas of health, and I want to seek assurances on behalf of the community that that hasn’t happened,” he said.

“I’m certainly not alleging that that has happened, but we want assurances that it hasn’t.

“And if it has, it needs to be promptly investigated.”

Mr Hanson also questioned Mental Health Minister Emma Davidson’s timeline about the events surrounding the breach, including why she chose to get in contact with the accused union.

“Her first response was to approach the alleged perpetrator, to get in contact with the union … which is pretty extraordinary in itself,” he said.

“We need to understand now how the government is going to manage that relationship [with the union] going forward.

“If this was any other organisation, it’s likely that that relationship between Health and that organisation would be cancelled or suspended. Is that going to happen with the union?”

Ms Davidson was further pressed on her knowledge and her actions during Questions Without Notice in the Legislative Assembly, as was the Health Minister.

It was revealed Ms Stephen-Smith was specifically advised about the breach on 13 February, and her office was notified a few days earlier.

She accused the Canberra Liberals of scare tactics to suggest a similar breach could have occurred anywhere else across Health.

“There is absolutely no evidence that this has occurred in any other area of the health system,” Ms Stephen-Smith said.

“The recent implementation of the Digital Health Record has resulted in a step change in the security of health records and the traceability of any access to those records, any downloading and sharing of those records.”

Ms Davidson also defended her decision to request a meeting with the secretary of the ANMF ACT branch, as well as the CHS CEO, when she found out about the breach.

“I wanted to particularly better understand what their organisations were doing to comply with their legal obligations and I also wanted to address the distrust issue that this breach has created,” she said.

“I believe it is entirely appropriate, when a breach of this nature has occurred, to be asking people how they are going to comply with their legal obligations and cooperate with any external investigations that might be ongoing.”

She also explained it had taken so long to fully contact all those impacted by the breach, from the time it was discovered to the time it took to understand whose data had been emailed and to what extent, because of the protection processes in place.

“It takes some time to prepare for a patient disclosure process of this nature, and to make sure all the right things are in place to be able to answer any questions that people may have and make sure the appropriate supports are there for them,” Ms Davidson said.

Patients began to be informed about the data breach on 6 March, the same day the all-staff email was sent to about 8000 Canberra Health Services employees by CHS CEO Dave Peffer.

11 am: A nursing and midwifery union has been identified as the external organisation to whom the private details of 13 mental health patients were emailed without their knowledge or consent.

But they were also shared with other private email accounts, which remain unknown.

Mental Health Minister Emma Davidson updated the Legislative Assembly on the issue during the sitting of the Assembly on Thursday (23 March).

She said she had been unable to provide further information until late yesterday.

“Now that the families and patients involved have received more of these details, I’m able to provide an update,” Ms Davidson said.

She outlined that Canberra Health Services (CHS) had discovered a “potential breach” in early February and that she was verbally told about this on 8 February.

“An audit was undertaken to determine the breadth of the breach, which uncovered significant and sustained breaches of the Health Records Privacy and Access Act 1997, and the Privacy Act 1988,” Ms Davidson said.

“This took some time, but by 27 February, we had a fairly clear understanding of the number of patients and staff involved.”

She named the external industrial partner as the Australian Nursing and Midwifery Foundation’s (ANMF) ACT branch but said the patient’s health records had also been shared with “other private email accounts”.

“CHS immediately notified and referred the breach to the relevant authorities, including ACT Policing, the ACT Integrity Commission, the ACT Human Rights Commission through the ACT Health Services Commissioner, the Australian Information Commissioner and the Australian Health Practitioners Regulation Agency,” Ms Davidson said.

“CHS formally advised the industrial partner [ANMF ACT branch] of the breach as soon as its extent was determined.”

Ms Davidson continued that on 28 February, she contacted both CHS CEO Dave Peffer and the ANMF ACT branch secretary regarding her concerns about the impact on patients and staff and requested a meeting.

“I particularly wanted to understand what the organisations were doing to comply with legal obligations,” she said.

While she had received a response “within hours” from Mr Peffer, Ms Davidson said she didn’t hear from the ANMF until 1 March, when the union’s lawyers declined the meeting and requested all future correspondence be sent to them.

Since this matter became public on Tuesday (21 March), one CHS staff member has been terminated and two others suspended, with their cases referred to the Public Sector Standards Commissioner for an independent investigation.

Ms Davidson said CHS had assured her that she will receive further updates as they come to hand.

“This is all of the information that I am able to share at this point in time. I will provide further updates when I can,” she said.