Records in a garden shed: GP practice fails to secure and monitor records no longer required

Practices have an ongoing responsibility to secure patients’ personal information and destroy or de-identify it when it is no longer required. Having a records management process is not enough to satisfy obligations under privacy legislation. Practices must be diligent about auditing and managing records, otherwise old records may be overlooked and become vulnerable to data breaches, as one practice discovered.

A suburban medical practice moved old hard copy records into a locked shed at the back of its premises when it was renovating its rooms for sale. It failed to realise these boxes of records included old patient files for nearly 1000 former patients, as well as payroll records, accounts and invoices, and batched Medicare vouchers.

When it moved to new premises, the records were inadvertently left behind. The shed was broken into and information revealed, including:

• patient identifying details, including names, addresses, phone numbers, date of birth, country of birth and Medicare numbers
• patient health information, such as details of investigations, referrals and correspondence, discharge summaries
• financial information, including staff pay records, accounts to third parties such as worker’s compensation and transport accident authorities.  

The Privacy Commissioner opened an investigation in response to media reports that boxes of unsecured medical records had been discovered in a garden shed.

Failure to secure personal information

The Privacy Commissioner concluded a data breach had occurred. The practice had failed to take reasonable steps to secure personal information as required by the Privacy Act 1988 (Cth).

Given the sensitivity of the personal information, reasonable steps may have included:

• monitoring the movement of files
• regular audits to ensure the practice was aware of what they were storing and whether it was still required
• processes to ensure it securely disposed of information the practice no longer required
• appropriate physical controls to limit access to the stored information, using a secure means of storage such as a safe or a secure room, and appropriately monitoring the location of the information.

The Privacy Commissioner did not consider that there are any circumstances where a temporary structure such as a shed would be appropriate for storing sensitive health information, particularly when it was at a separate location and could not be monitored.

Failing to destroy or de-identify information when no longer required

The Commissioner also concluded that the practice had failed to take reasonable steps to destroy securely or de-identify the information that it no longer needed.

The practice had a process to review paper-based records every two years. Any records that were part of an existing patient record were scanned in and the paper copy securely destroyed. Any records it was no longer legally required to store were securely destroyed. However, the last such review had been several years before the data breach.

The Commissioner noted that ‘reasonable steps’ meant not just having a process but taking steps to ensure the process was followed. This had clearly not been done in this case.

Failing to notify the OAIC or individuals affected

The incident occurred before mandatory data breach notification requirements came into force. The practice had concluded it was unnecessary to notify patients affected.

The Commissioner commented that the OAIC ‘encourages notification where there is a real risk of serious harm’. Since these events, there is now a mandatory data breach notification scheme in Australia that requires notification of data breaches to the Commissioner and individuals if the breach is likely to result in serious harm (subject to exemptions). 

Following the breach, the practice moved all documents to a secured and monitored room within its new premises. It also developed a data breach response process. It updated its processes to review paper-based records annually.

The Commissioner also recommended the practice:

• undertake a risk assessment of their records management and privacy practices
• organise privacy training for all staff
• ensure its data breach response plan satisfied its Privacy Act obligations in the event of a future breach.

Based on the remediation steps the practice had taken and its ongoing implementation of OAIC recommendations, the Commissioner closed the investigation.

Consider your processes for securing patient health information, including physical and digital health records. This includes steps such as controlling access and having systems to monitor and detect any unauthorised access.

The Privacy Act requires you to establish and ensure that processes for maintaining privacy and managing records are followed.

Make sure all staff understand their privacy obligations.

Only keep information for as long as you require it and the law allows. Make sure you know what records you hold and have a process to conduct regular reviews to identify whether information is still required or can be securely destroyed.

Avant factsheet – Privacy: the essentials

Avant guide – Cyber: what you need to know

For medico-legal advice, please contact us on nca@avant.org.au or call 1800 128 268, 24/7 in emergencies.