ACCforum: Privacy breach at big health agency - ACCforum

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Privacy breach at big health agency

#1 User is offline   hukildaspida 

  • Advanced Member
  • PipPipPip
  • Group: Member
  • Posts: 3353
  • Joined: 24-August 07

Posted 12 April 2016 - 03:34 PM

Privacy breach at big health agency
Home » News » National
Tue, 29 Mar 2016
News: National


http://www.odt.co.nz...g-health-agency

An employee at a large health agency in New Zealand has had her private health information, including her "extremely sensitive" emergency department and mental health records, accessed by more than one former colleague.

The woman's private information was looked at on numerous occasions between 2012 and 2013, case notes from the Privacy Commissioner's Office show.

She was notified about the offending by the health agency and told her former colleague had been fired as a result.

Both parties had worked in administrative roles and had access to health records and medical information.

But it was only when the woman asked for an access audit to be conducted that she found more than one person had "browsed" through her private information.

The offending "showed a pattern of behaviour and gave meaning and context to some comments her former colleagues had made about her health while they worked together", Privacy Commissioner John Edwards said.

He said the woman had asked for an audit of access to her records after finding out they had been accessed without proper reason, "so she could be sure no other staff she had worked with had inappropriately accessed her health information".

Mr Edwards said the audit revealed another former colleague had browsed her health information during the same time period.

"This was especially distressing for the complainant because it renewed the complainant's concerns that her colleagues had treated her unfairly and had been sharing her sensitive health information with each other."

He said Rule 5 of the Health Information Privacy Code 1994 requires an agency to ensure reasonable security safeguards exist to prevent loss, unauthorised access or disclosure of the health information it holds.

"Assessing what is reasonable depends on the sensitivity or confidentiality of the information involved and the ease with which safeguards could be put in place to protect the information. The agency's current policies and practices, including any staff training, are also relevant."

The information accessed was shown to include "extremely sensitive" emergency department and mental health records.

Edwards said under Rule 5, an agency has an ongoing responsibility to develop and maintain appropriate security safeguards for their information.

"System audits, staff training, policies and technology upgrades are some of the tools an agency can employ to help maintain a good privacy culture and ensure trust and confidence in the security and privacy of health information.

"Inappropriate access to information by employees, called 'employee browsing', is a problem for many large agencies. It is important agencies take a proactive approach to information security and make continuing efforts to put in place and improve their security processes."

He ruled that although the health agency took a proactive, sympathetic and responsible approach to the interference with the complainant's privacy, it had limited processes in place to catch inappropriate access to their files.

"The extent of the browsing and length of time before detection also indicated the safeguards in place were not adequate. The browsing took place over several months and was not an isolated incident.

"The fact that people she worked with were responsible heightened the complainant's feelings of violation and humiliation."

Edwards said that in this case, the harm suffered by the complainant was "ongoing and substantial".

"She experienced high levels of anxiety, nightmares, and was fearful of further browsing of her health information.

"The complainant also felt any future possible employment at the agency was impossible as not only did she feel her reputation had been damaged, she no longer trusted the agency."

The woman and her employer agreed to participate in a mediation facilitated by the Privacy Commissioner's Office.

"The mediation was successful and the health agency, following on from earlier apologies, provided a formal apology and agreed to provide financial compensation to the complainant for the harm caused by the interference with her privacy," Mr Edwards said.

He added: "The health agency had initiated an independent review of its health record audit process to reduce the risk of this happening again in the future and is implementing those changes."

- NZ Herald
NZME.
0

#2 User is offline   hukildaspida 

  • Advanced Member
  • PipPipPip
  • Group: Member
  • Posts: 3353
  • Joined: 24-August 07

Posted 12 April 2016 - 03:54 PM

The Auckland DHB staff member or members who provided information for this Report perhaps may have short memory spans, because to the best of our recollection and knowledge a case involving a patient and an eel in the rectum was a Privacy breach and may have been within that time frame they have referred to.


Privacy review at Wellington Hospital after staffer caught snooping on records

BEN HEATHER

Last updated 21:12, March 17 2016


http://www.stuff.co....ping-on-records

http://www.stuff.co....58206988572.jpg

A Wellington Hospital staff member has left after being caught accessing 33 patients' records.

The breaches have sparked an independent privacy review of the Capital & Coast District Health Board's privacy practices, which recommended more thorough auditing, restrictions on access to electronic medical files, and better staff training.

A report, released under the Official Information Act, revealed the investigation occurred after a former colleague claimed the woman had been snooping into her electronic medical records.

The woman initially claimed she did not even know the complainant, but it was later revealed the pair had sat next to each other as administrative workers at Wellington Hospital.

READ MORE:
* Health privacy investigation at Wellington Hospital after complaint
* Privacy breach victim slams Southern District Health Board
* Online health records a 'snooping risk'
* More than one MidCentral nurse sacked for snooping
* Ryder's medical files spied on

A subsequent audit found the woman had not only breached her colleague's medical record, including her admission to the emergency department, but had accessed the electronic health records of 33 patients "without an obvious legitimate need to do so".

After further investigations, the DHB accepted that, in 28 of these cases, there had been no privacy breach. However, she was found to have accessed her own family's medical records five times without authorisation.

CCDHB chief operating officer Chris Lowry
said the woman claimed she had permission from her family, but she had nevertheless accessed private health records to which she had no right.

"Whether she did it off her own volition, or for her family members, it is still a breach."

The woman is no longer employed by the DHB, but Lowry refused to comment on whether she resigned or was dismissed.


She said the DHB had apologised to the original complainant, but no other patients affect by the breaches had been contacted.

The case is just the latest of a string of hospital staff caught snooping on patients' files in the past few years.

Last year, three staff at Palmerston North Hospital were dismissed for breaching patients' privacy. It came after a former hospital nurse told a disciplinary tribunal that staff routinely accessed health records of patients they weren't treating.

In 2013, several Hutt Hospital receptionists were caught going through the medical notes on a surrogate mother 20 times, but kept their jobs.

In the same year, Canterbury DHB was forced to apologise to cricketer Jesse Ryder for breaching his privacy. While Ryder was recovering from serious injuries suffered after a late-night assault, four clinicains not involved in his care accessed his medical records.

Lowry said it was hard to know why staff continued to access medical files that were none of their business, but privacy breaches were infrequent.

"We do take privacy very seriously, and our responsibility to protect patients."

The independent review of the DHB's privacy protections was carried out after the investigation had found several areas for improvement, which the DHB was considering now, she said.

Among the recommendations was making it clearer to staff the consequences of breaching patients' privacy, which could include dismissal, and better privacy training for administrative staff.

Random weekly audits of electronic records were already carried out, but the review said these audits could be strengthened and limits around who could access which records improved, Lowry said.

The DHB was still working out what was practical with the existing technology, but no system would be 100 per cent effective against breaches.

"We have thousands of staff members that have appropriate acess to many, many patients' medical records. It [a privacy breach] is like a needle in a haystack sometimes."

YOUR HEALTH RECORDS


DHBs report dozens of privacy breaches each year, but the numbers vary widely throughout the country.

Auckland DHB, which covers nearly 500,000 people, claimed it had not uncovered a single privacy breach in the five years to 2014, while South Canterbury DHB, which covers 55,000 people, reported more than 50 during the same period.

Capital & Coast DHB reported only four privacy breaches between 2009 and 2014.

Overall, slip-ups or snooping into patients' health records account for about 15 per cent of 800 complaints received by the Privacy Commissioner every year.

In 2014, the commissioner raised concerns about the rise of shared electronic health records, which make it easier for hospitals to access and share health records with GPs and other community health services.

- Stuff
0

#3 User is offline   hukildaspida 

  • Advanced Member
  • PipPipPip
  • Group: Member
  • Posts: 3353
  • Joined: 24-August 07

Posted 12 April 2016 - 04:05 PM

Wellington Hospital paid out former staffer after colleagues breached her privacy

BEN HEATHER

Last updated 16:56, March 31 2016


http://www.stuff.co....hed-her-privacy

A Wellington woman's sensitive health records were improperly "browsed" for months by hospital co-workers, and the breach was not picked up until years later.

In notes released on the recent decision, the Office of the Privacy Commissioner has criticised a "large health agency" for not guarding the woman from her prying co-workers.

"The extent of the browsing and length of time before detection also indicated the safeguards in place were not adequate."

The case is understood to relate to a complaint lodged against the Capital & Coast District Health Board, which last year apologised to a former employee after an investigation revealed a co-worker breached her privacy in 2012.

READ MORE:
* Health privacy investigation at Wellington Hospital after complaint
* Privacy review at Wellington Hospital after staffer caught snooping on records

However, the commissioner's report reveals for the first time that two, not one, of the woman's administrative co-workers at Wellington Hospital were improperly accessing her electronic health records, including her mental health and emergency department records.

"This was especially distressing for the complainant because it renewed the complainant's concerns that her colleagues had treated her unfairly and had been sharing her sensitive health information with each other."

The woman was so upset by the breaches that she felt unable to remain at the DHB, which she "no longer trusted".

"The harm suffered by the complainant was ongoing and substantial," the report says. "She experienced high levels of anxiety, nightmares, and was fearful of further browsing of her health information."

The notes also reveal the complaint resulted in the DHB paying "financial compensation" to the victim, as well as an apology.


In March, an audit released under the Official Information Act showed the co-worker first suspected of breaching the complainant's privacy had inappropriately accessed the medical file of at least five other people, mostly family members.

She no longer works at the hospital, although the DHB has refused to comment on whether she was dismissed.

DHB chief operating officer Chris Lowry
confirmed a second staff member had been caught accessing the woman's records, and also no longer worked at the DHB.

A subsequent audit discovered that she had also improperly accessed the records of 115 other patients, although she had not printed or shared these records with anyone else.

In March, Lowry said the privacy breach detailed in the audits had sparked a wider review around the security of their electronic records.

Among the resulting recommendations was making it clearer to staff the consequences of breaching patients' privacy, which could include dismissal, and better privacy training for administrative staff.

Random weekly audits of electronic records were already carried out, but the review said these audits could be strengthened and limits around who could access which records improved, Lowry said.

The DHB was still working out what was practical with the existing technology, but no system would be 100 per cent effective against breaches, Lowry said.

"We have thousands of staff members that have appropriate acess to many, many patients' medical records. It [a privacy breach] is like a needle in a haystack sometimes."

STRING OF BREACHES

The breach is just one of a string of hospital staff caught snooping on patients' files in the past few years.

Last year, three staff at Palmerston North Hospital were dismissed for breaching patients' privacy. It came after a former hospital nurse told a disciplinary tribunal that staff routinely accessed health records of patients they weren't treating.

In 2013, several Hutt Hospital receptionists were caught going through the medical notes on a surrogate mother 20 times, but kept their jobs.

In the same year, Canterbury DHB was forced to apologise to cricketer Jesse Ryder for breaching his privacy. While Ryder was recovering from serious injuries suffered after a late-night assault, four clinicians not involved in his care accessed his medical records.

- Stuff
0

#4 User is offline   hukildaspida 

  • Advanced Member
  • PipPipPip
  • Group: Member
  • Posts: 3353
  • Joined: 24-August 07

Posted 03 May 2016 - 03:15 PM

Re post #2 and ADHB

Was this classified as a "Privacy breach" or not?

On the surface it appears as if Auckland District Health Board Chief Executive Ailsa Claire may have some staff training to do in relation to the disclosure of statistics relating to transparency of Privacy breaches.


Eel X-ray hospital staff disciplined
Last updated 10:28 17/04/2013

http://www.stuff.co....aff-disciplined

Thirty-three staff at Auckland City Hospital have been punished for looking at X-rays and information on a man who had an eel stuck up his bottom.

Staff were sacked, given verbal warnings, written warnings and final written warnings after an investigation found there was no legitimate reason to access the patients records.

The majority of the privacy breaches were from looking at the man's radiology images on a computer, but some staff also looked at the his blood test results and the discharge summary.


The privacy breach stretched to the distribution of information to public and media.


The disciplinary action was the result of a six-month investigation into the breach.

"The findings are disappointing, to say the least, but we are taking action to ensure compliance with Auckland DHB policy in future," said Auckland District Health Board Chief Executive Ailsa Claire.

"Now we must ensure this situation serves to highlight and build understanding of our privacy obligations to our patients," she said.

The patient sought medical attention in September 2012, after the eel became lodged in his lower stomach.

Doctors at Auckland Hospital had to surgically remove the eel, hospital sources said.

The x-ray of the eel stuck in the man was the topic of hospital gossip after it was emailed out, in what was a major breach of the patient's privacy.

The case became world news after it was leaked to the media.

A total of 49 staff, including six senior medical officers, 21 junior doctors, 20 nurses or midwives and two scientific and technical health staff, were initially investigated.

"One of the fundamental responsibilities of working in a healthcare environment is showing respect for patients' rights to privacy," said Claire when the investigation was launched.

"I take that responsibility very seriously indeed and I expect our staff to work and act at all times with a level of professionalism that honours the trust our patients place in us," she said.

All ADHB staff would now be required to re-sign a confidentiality agreement each year.

The patient did not make a complaint but had remained fully informed throughout the investigation, and had been issued an apology.

- Stuff
0

#5 User is offline   hukildaspida 

  • Advanced Member
  • PipPipPip
  • Group: Member
  • Posts: 3353
  • Joined: 24-August 07

Posted 04 August 2016 - 03:09 PM

With thanks to NZdoctor

Lab technician censured and fined after flouting DHB’s patient privacy rules
Ruth [email protected] 01 August 2016, 1:05PM

http://www.nzdoctor....vacy-rules.aspx


http://www.nzdoctor....decisionweb.pdf

An Auckland lab technician has been censured and fined by the Health Practitioners Disciplinary Tribunal after accessing lab results for members of her family and friends.

Rosalinda Zabala, who was working at LabPlus, Auckland DHB, accessed lab results without authorisation hundreds of times between January 2011 and November 2014.

Ms Zabala told her employer, Auckland DHB, she accessed lab results of her family because of concerns about their health. She accessed results of members of her church to help them as a pastoral leader and support person.

Her actions were discovered after she visited a one-year-old patient at Starship Children’s Hospital intensive care unit. She questioned the staff nurse about the care of the child, having seen his liver function results.

This led to the nurse raising concerns with her manager and an investigation was carried out into Ms Zabala’s use of the Delphic lab information system. Her employment at the DHB, which had begun in 1996, was terminated in early 2015.

Tribunal decision

The Auckland DHB has a privacy policy that states: “Only those staff members involved in the care and treatment of the patient may have access to that person’s clinical record.”

When logging on to the Delphic system, a warning message pops up reminding users that access to clinical results is forbidden for any other reason than assisting in the delivery of healthcare.

The tribunal found Ms Zabala’s unauthorised accessing of lab results for herself and family members did not warrant a disciplinary sanction. “This was an error of judgment, but not one that we find to be serious in the circumstances of this case.”

However, it found accessing results of six members of Ms Zabala’s church for personal reasons was a serious abuse of privilege given to health practitioners which amounted to professional misconduct.

She accessed these records 350 times over a period of nearly four years.

The tribunal took into account she had effectively been suspended after her employment was terminated in January 2015. Her actions had been motivated by care and concern for her church community and she had admitted wrongdoing unreservedly.

Ms Zabala was fined $4000, was censured and must disclose the tribunal decision and penalty to any employer for a period of 12 months after resuming practice.
0

#6 User is offline   hukildaspida 

  • Advanced Member
  • PipPipPip
  • Group: Member
  • Posts: 3353
  • Joined: 24-August 07

Posted 04 August 2016 - 03:16 PM

Interesting and may be misleading Linkedin Profile belonging to Rosalinda Zabala

What was she doing in all the years between her University attendance and job at Sky City Casino?

What role and was she working in a hospital in the Philippines where she appears to have originated from?

Why did she truthfully leave the Philippines to come to NZ?

One has to perhaps question if there has also been other unacceptable conduct elsewhere with her.

Have her qualifications to enter NZ in anyway been manipulated?

Just saying as sometimes these behaviors go hand in hand


https://nz.linkedin....zabala-95804b50

Rosalinda Zabala

Medical Laboratory Scientist at Auckland District Health Board

Auckland, New Zealand
Hospital & Health Care

Current

Auckland District Health Board

Previous

Auckland District Health Board-LabPlus, Sky City Casino

Education

Auckland University of Technology

Experience

Medical Laboratory Scientist
Auckland District Health Board
December 2010 – Present (5 years 9 months)

I work as a midnight to 0800 staff doing daily, weekly and forn\tnightly maintenance on the modular analysers. I run these machines regularly together with the TDX, osmometer, Fibronectin FLi machine, CDX90 machine, Radiometer blood gas machines. I can do data entry as well as checking and numbering of newly arrived specimen.
Medical Laboratory Technician
Auckland District Health Board-LabPlus
May 2000 – November 2010 (10 years 7 months)

I did a similar jod as a scientist although I have greater responsibilities as a scientist.
Cashier
Sky City Casino
September 1996 – February 1999 (2 years 6 months)

Handled a certain amount of float money to be used for foreign exchange, chip exchange, claims of winnings, coin bulk exchanged to cash money, balancing up to the last cent. Being a "front person" you should be able to communicate well, friendly, helpful and honest.

Skills

Can drive a carCan run and do maintenance on modular analyserscan cook

How's this translation?

Great•Has errors

Education

Auckland University of Technology
Auckland University of Technology
Graduate Diploma in Applied Science, Biochemistry
2008 – 2010
University of Santo Tomas
BS Medical Technology
1977 – 1981
0

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users