A doctor working in a suburban medical practice had his car broken into and bag stolen. The bag contained a USB stick holding the personal information of a number of patients, including the complainant. The data detailed the complainant’s first and last names. Also included were details of their prescribed drugs and medical diagnosis.
One of the doctor’s patients complained to us.
The medical practice acted quickly and fulfilled all four key steps an agency should follow in response to a privacy breach. These steps aim to contain the breach and reduce harm to the subjects of the breach.
Breach containment and preliminary assessment
Following a data breach, an agency must take immediate steps to contain or limit it. This includes designating an appropriate individual to lead the initial investigation and determine who needs to be notified.
The medical practice received news of the theft the following day and the manager immediately made plans to contact the affected individuals. Our complainant was informed of the breach by his general practitioner and offered a meeting with the manager to discuss the situation.
Evaluation of the risks associated with the breach
An appropriate evaluation includes considering what personal information was involved, establishing the cause and extent of the breach, considering who was affected by the breach and whether those affected might be harmed.
The manager noted that the only identifying details in this case were the complainant’s first and last name. He had frequently changed address in recent years and did not have a listed telephone number. The manager believed the main harm was that the complainant may lose trust in the medical practice. However, the complainant had continued to use the agency’s services since the breach.
The patients were notified as soon as reasonably possible. The manager of the medical practice met the complainant to discuss the theft and apologised for the loss of his personal information.
As a result of the breach, the medical practice took steps to increase the security of any data that was to leave the premises. A review was conducted of their patient information security policy. Immediate changes were drafted for sign off by the practice’s Board.
The medical practice purchased new encrypted USB sticks immediately after the data breach, to be used where data is to leave the premises. An active register containing a list of the staff who are to use these keys was implemented and an agreement drawn up for staff to sign, acknowledging that they are responsible for the safety of the information.
Staff were advised both verbally and electronically of the new process and the medical practice ensured there was a transparent communication process with the staff about this incident.
The complainant sought damages as a result of the breach. However we were not satisfied that he suffered harm that warranted damages.
We also considered the medical practice had taken appropriate steps in the circumstances.
See our privacy breach guidelines at: http://privacy.org.nz/news-and-publications/guidance-notes/privacy-breach-guidelines-2/
Security of personal information – USB stick stolen – Data breach – Medical practice – Health Information Privacy Code 1994; rule 5