Unknown Data Breach (2015)

Case Note 246939 [2015] NZ PrivCmr 7 : Patient's shared medical records wrongly disclosed. An Auckland woman agreed that her insurer could access her medical records held by a local district health board (DHB). However, the insurer sent a request for copies of her medical file to the wrong DHB. The DHB did not notice that it had received the request in error. The DHB provided the woman's entire medical file to the insurer, including sensitive mental health information that was not relevant to her claim. The insurer did not retain the irrelevant information, but we were concerned that the DHB had accessed all of the woman's information and had released it to a third party. We also wanted to know what information was able to be accessed by the DHBs and what security safeguards were around that information. We found that all three DHBs in the Auckland region can electronically access information about patients that have been treated at any one of those DHBs. In this case, the woman attended a DHB five years previously and so the responding DHB was able to access her records. There were restrictions around the mental health information in the database. For instance, access to the database was time limited and information could only be accessed about patients who had a current referral, so there must be a proven relationship with the patient care team. Plus, the mental health records in the database had a 'break glass' function to enable access for specific purposes. This function gave one-time- only access to patient information. Some senior medical officers who provided on-call cover were given full access. Users recorded their reason for accessing the mental health records and automatic alerts were sent to system administrators when this function was invoked. All 'break glass' instances were audited. In this case, the person responding to the request accessed the woman's mental health file when they should not have.