The stuff of HIM nightmares
Data breaches can be the stuff of HIM nightmares. You may not be able to prevent them, so it’s a good idea to prepare for them. There may be scenarios that you have not even thought would happen in your workplace!
Data breaches are defined as being illegal disclosures or unauthorised information access (Seh et al 2020). Although, you as a HIM are highly aware of the requirement to maintain confidential information at a high standard there are many examples of records not being managed properly, whether electronic or paper based.
Examples of data breaches were recently shared by members of the HIMAA Privacy and Security Community of Practice, they may sound far-fetched, but actually occurred in real life.
- A hospital staff member who was browsing at the Tip Shop and came across client files in a donated filing cabinet.
- A radiologist gave a patient and their carer the health record to take back to the ward. Unfortunately, the patient took the complete health record home.
- A patient took their paper health record off their clinician and ran out of the clinic with a small team of clinicians in hot pursuit. This health record was subsequently found in a nearby creek.
- This would have to be my personal favourite – so many elements to this story. Tradies left a door chocked open to a secondary storage area. The door faced out to a public carpark, a member of the public walked in and took 5 volumes of one patient’s record. It turns out the offender was related to the patient (I swear I couldn’t make this up if I tried). Records were dumped in the street (second thoughts, too heavy, guilty conscience?). They were picked up by a random stranger who subsequently posted a photo of them on Facebook (no identifying details shown). Eventually all the health records were returned.
- Cleaners threw out a box of health records left on the floor of a hospital department thinking they were rubbish. HIM’s had to go to the tip to retrieve them.
- Ambulance pager data was intercepted and published online by a keyboard warrior.
- COVID-19 test results messaged to the incorrect recipient.
- Emails sent to the wrong recipient are also very common. We had an example where an email containing an attachment including patient information was sent to a group email of 225 people instead of one person.
Unfortunately, these types of breaches can occur anywhere, you are not immune. The consequences of a data breach of personal health information can be severe and result in serious harm to both individuals and organisations.
These breaches can cause financial and suffer reputational damage. Are you prepared for data breaches and would you know what to do if the above examples occurred? Being aware of the correct governance of data breaches in relation to your state or organisation can greatly assist in the smooth management or avoidance of issues related to potential data breaches. The OAIC (Privacy Act) has some great information and guidance https://www.oaic.gov.au/privacy/guidance-and-advice/data-breach-preparation-and-response. Refer to relevant state authorities for further guidance.
Having a data breach response plan in place can ensure that panic is reduced, and systems run as smoothly as possible.
Communicating expected response plans to staff and providing education will ensure that staff at your workplace can identify a suspected data breach, whether electronic or paper based. Questions to ask in relation to staff awareness include, Do they know how to respond? Where to get advice? Who to report it to?
Remember to:
- Contain it – to prevent any further compromise of personal information.
- Assess it – investigate, gather the facts, evaluate the risks.
- Notify as required – internally, external parties, affected individuals.
- Review the incident – what worked well, what didn’t, what actions can be taken to assist in the prevention of future breaches
The Privacy and Security Community of Practice are also very happy to announce a HIMAA webinar planned for 9 March 2022 at 12.00 pm AEDT that will tie in with some of the concerns raised here. The webinar is entitled How to use Table-Top Privacy Breach Fire Drills to protect your Practice and will be presented by Jean Eaton, a well renowned HIM from Canada who is passionate about privacy protection and health information. Jean will discuss how to be prepared for data breaches through the use of privacy breach fire drills, so well worth attending. Hope to see you there!
Kirstie Mountain
Sharon Campbell