A police investigation is underway after a serious privacy breach was detected at Canberra Health Services (CHS), where the clinical records of 13 people were “deliberately emailed” to an external organisation.
However, it’s not clear how many staff members were responsible for the breaches, which external organisation received the records, whether the records were passed on to other organisations, how the breach was discovered and over how many years the breaches have been occurring.
All CHS employees received an email about the breaches from CEO Dave Peffer on 6 March, with the subject line, “a disappointing update”. Mr Peffer’s email has just become public.
“I wanted to quickly update you on something that’s happened, which isn’t good,” he opened.
He then explained the breach had been discovered in the past few weeks.
“What I’m talking about here is whole clinical records, in some cases scanned from hard copy, and deliberately emailed to individuals outside the organisation,” he wrote.
“Breaching the privacy of 13 consumers. Over a period of years.”
Mr Peffer wrote the records had been sent by a “small number” of employees to “multiple people” within one of CHS’s industrial partners.
“Records that should never have been shared outside the organisation without the express consent of our patients,” he said.
“Trust was on the line, and we’ve let these patients down.”
Mr Peffer outlined this wasn’t an accidental breach where a patient’s details were “inadvertently buried”, but one that could lead to legal consequences.
He said at the time, the ongoing employment of those involved was being considered and the incident had been referred to police, the Australian Health Practitioner Regulation Agency, and other local and national regulators.
The impacted patients and their families have also been contacted.
“Often, our patients are at their most vulnerable when in our care. The confidence our patients have to share their most private health information with us helps us to treat and care for them. All of that relies on trust,” Mr Peffer wrote.
“This isn’t a situation we want anyone to find themselves in.”
Region posed further questions to CHS, but a spokesperson said they could not elaborate further as the incident was subject to an external investigation.
“Patient privacy and confidentiality is a key tenet of the health care system and one Canberra Health Services values greatly,” they said.
“We take any potential breach very seriously.”
It appears the records related to mental health patients who had accessed Canberra Health Services.
Mental Health Minister Emma Davidson said she had been assured the staff involved had “no further access” to confidential information but was unable to elaborate further.
“We’ll be able to offer more public information once due process and the external investigation have concluded,” she said.
“Until then, I am unable to provide any further specifics on this matter … and I have no plans to run any commentary on it.”
She did outline CHS staff were made aware of their patient privacy and confidentiality obligations through a number of processes, including mandatory training, induction processes and registrations.
“There are clear policies and procedures in place for the treatment of all health records, including access, storage, dissemination and destruction guidelines,” Ms Davidson said.
“CHS really understands its legislative and values-based obligations in relation to patient privacy and confidentiality and they treat any breach of this very seriously.”
Shadow Health Minister Leanne Castley slammed this response, accusing Ms Davidson of hiding behind a “culture of secrecy” to avoid explaining exactly what has happened.
“There is a bunch of information that she can share with Canberra to give them the assurance that everything is OK,” she said.
“I’m not asking for names of who has done what, but what exactly has gone on? Why have patient records been copied, given to another body? Why did that occur? That is something she can surely answer and let us know.
“It’s time for the minister to explain to Canberrans what’s going on and to stop hiding behind investigations.”
Ms Castley questioned why it had taken so long for the email, which was sent two weeks ago, to come to light, and why the government didn’t update the public as soon as the breach was discovered.
“I’m surprised it’s taken this long for us to find out about this,” she said.
“[Those impacted] are the most vulnerable people and they have had their information taken and shared with someone else.
“It’s a disgrace.”
Ms Davidson was repeatedly asked about this issue during question time in the Legislative Assembly on Tuesday (21 March), but she said she could not provide any more detail while a police investigation was underway.
“It’s really important when police are doing an investigation that they are able to do their work without interference and speculation from politics,” she said.
She did clarify the industry partner to whom the details were sent was not a health fund.
Ms Davidson was asked to take the questions she couldn’t answer on notice; however, it was noted she couldn’t do this as it would legally require her to respond within a certain timeframe and it was unknown when the investigations will end.
She also explained her decision not to make a public statement about the breach even though she “was made aware [of it] in recent weeks”.
“The patient disclosure process needed to happen before this became a topic of public conversation,” Ms Davidson said.
“It is really important that when you are a person receiving health care that your needs are put first and that is what we have done here.
“The conversations with the patients who have been personally affected by these breaches are ongoing.”