Online health records a 'snooping risk'

00:52, Sep 25 2014

The storing of millions of Kiwis' health records online is creating a growing risk of clandestine snooping, the privacy commissioner says.

In a report published today, the commissioner says the growth of electronic shared healthcare records increases the chances of "widespread and damaging accidental or malicious disclosures".

"Shared electronic health records . . . are potentially available to anyone in the world with the appropriate credentials, can be downloaded almost instantly."

The online records introduced by health authorities also raise concerns about security "gaps", which could leave them vulnerable to cyber attacks, compromising patients' records.

Medical records of more than 1 million patients, including nearly everyone in the Wellington region, have been automatically uploaded into one of three online health databases, which can be accessed by hundred of doctors, nurses and other health workers involved in their care.

The rise of electronic health records is part of a government push to share more information more quickly between health workers, to cut costs and minimise potentially fatal mistakes. Patients can opt out of the scheme, and their GPs can limit sensitive information shared online.


Privacy Commissioner John Edwards said yesterday that, as well as inappropriate access by health workers, recent attacks such as the apparent hacking of Apple's iCloud to steal celebrities' naked photographs showed even the most sophisticated online security could be vulnerable.

"If that sort of sophisticated hacking was brought to bear on these systems, it would be horrific."

While electronic records would make it easier to track snooping, it also meant "things can go bad much more spectacularly", given the sheer scale of information stored and regularly accessed online.

Similar electronic healthcare record overseas have been involved in scandals, with Britain's NHS reportedly caught selling patient data en masse to private health insurers.

Edwards said New Zealand had taken a much safer, less centralised approach to handling and storing private health online, but there was still a temptation to use private information for other purposes. "I would urge people to proceed with caution."

But Wellington GP Richard Medlicott, who sits on the board monitoring Capital & Coast DHB's shared care records, said most of his patients assumed their records were already being shared electronically. "Whenever you have a new system that has data, there is inevitably increased risk, but we are confident the benefits outweigh that risk," he said.

If any health workers accessed someone's private records without authority, it would be quickly picked up by the system in a way that was impossible when people were peeping into paper files.

Since the system went live in March this year, there had been no breaches, he said.

Private firm Medtech is one of three companies hosting the shared records scheme. Head of solutions Sanjeewa Sumaraweera said the company stored the records of about 1.5 million public health patients, including the vast majority in the Wellington region.

The information was all stored in New Zealand, and there were strict restrictions and safeguards to prevent outside access. Patients were also able to see who looked at their information, and to limit access. "I think with an iron-clad system, people will actually think twice before abusing it."


District health boards are regularly forced to apologise for snooping and clumsy handling of private medical details.

At least 250 privacy breaches have been recorded in the past five years, according to figures from 17 of the 20 DHBs, released under the Official Information Act.

These included a member of the public finding dozens of medical patients' files in a Whanganui graveyard, and a hospital worker in Canterbury passing on records to a patient's ex-husband.

Most breaches were accidents, such as sending someone's medical files to the wrong address, while others - such as the breaching of cricketer Jesse Ryder's privacy by multiple Christchurch Hospital staff - were motivated by curiosity. DHBs confirmed only a handful of staff were dismissed over privacy breaches, with many receiving warnings or "education".

DHBs also reported wildly different monitoring of privacy breaches. Auckland DHB - which services 464,000 people - claimed it had not recorded breaching anyone's privacy in the past five years, while South Canterbury DHB - which covers 55,000 people - reported more than 50 breaches.

In 2013, 123 people complained to the privacy commissioner about a breach by a healthcare provider, far more than reported by DHBs.

Commissioner John Edwards said DHBs were improving, but some still needed to keep closer tabs on privacy breaches.

"For years and years there hasn't been a focus on breaches. We are in a transition now."

The Dominion Post