Follow
null

South Australian health medical records data breach

Written by Lani Carter

In August 2018, it was discovered that for 13 years, the names, birth dates and results of approximately 7,200 pathology tests taken between 1996 and 2005 were embedded in a PowerPoint presentation, which had been uploaded to the Women’s and Children’s Hospital website.

The data breach was first discovered when a parent “Googled” their child’s name. The Hospital was notified of the breach after a complaint was made to the Health and Community Services Complaints Commissioner's office.

The data was removed from the website in 2016 but remained available on two document-storing websites (until they were asked to remove the information). Cached versions of the documents also remained online until recently.

Women's and Children's Executive Director of Corporate Services, Phil Robinson, said: “Our IT security team advise that the risk of anyone discovering the embedded information within the presentation is extremely low". He went on to note that there is no evidence to suggest the data had been used inappropriately.

Embedded data can reside in electronic documents such as presentations, smartphones, CDs, DVDs, flash drives, hard drives, tapes and more. Data from all these devices can be collected, stored, monitored and used for inappropriate purposes.

While we are all becoming increasingly conscious of the importance of protecting patient information (given the introduction of My Health Record and the Notifiable Data Breach Scheme), there remains a lack of awareness and understanding about the risks posed by embedded data. Many won’t have considered what comprises embedded data and where it might reside, or the potential threat it poses—from a financial perspective and from a reputational one.

This breach highlights that practitioners must be vigilant in ensuring that in sharing electronic information, they cannot limit their enquiry to what appears on the face of the record, but must also consider what data might sit behind that document to ensure they are not also unwittingly disclosing embedded information. 

Queensland Heart Valve Bank

Written by Mark Sainsbury and Andrew Mansfield

The Queensland Government Department of Health operates the Queensland Tissue Banks, which includes the Heart Valve Bank (HVB). The HVB supplies donor tissue for use in cardiac valve replacement and tissue grafts throughout Queensland and Australia.

In mid-2017, tissue from a donor with a specific type of brain cancer was released for use in cardiac surgery. The tissue was subsequently used on four patients, being three children less than one-year-old and a young adult.

While patients with cancer can make certain tissue donations, the use of that particular donor tissue constituted a breach of HVB protocol.

The breach was identified during a routine audit in mid-2018. Queensland Health immediately notified the affected patients and families, ceased tissue donation from the HVB and ordered an independent, external review of HVB operations.

Chief Health Officer, Dr Jeanette Young, issued a statement saying that after an exhaustive search of medical literature, Queensland Health was unable to find any instances of graft donor recipients developing cancer when a tissue graft has been taken from a patient with this particular type of brain cancer. An internal review of cardiac tissue grafts by Queensland Health did not identify any similar issues over the past five years either.

While operating, the HVB distributed cardiovascular tissue across Queensland and interstate for use in surgery, most commonly in children and infants with congenital heart disease. At this time, the HVB remains closed (with tissue being sourced from interstate) and the independent external review is expected to be finished by the end of this year. While it has not been confirmed, it might be assumed that once compliance can be assured, Queensland Health will look to re-open the HVB.

It appears unlikely (at least at this time) that the donated tissue will give rise to cancer or associated medical conditions or complications. However, given the traumatic nature of this experience for the patients and their families, nervous shock claims may result from the incident. 

The HVB incident highlights the importance of strict processes and compliance within facilities that conduct tissue donation services or other sensitive procedure-based medical activities such as pathology.

Regular auditing of these services is an important risk management tool and is something insurers may wish to investigate when considering underwriting such risks.

Procedural fairness in WA Tribunal decisions

Written by Laura Pilsworth

The recent decision of Lal v Medical Board of Australia [2018] WASCA 109 involved an appeal by Dr Lal from a decision of the State Administrative Tribunal (SAT). The SAT cancelled Dr Lal’s registration as a medical practitioner and disqualified him for reapplying for registration for five years. Dr Lal appealed the decision on the basis that he was denied procedural fairness—claiming that the SAT made findings of fact that went beyond the minute of agreed facts and he was not give any notice of the SAT’s intention to make those findings of fact.

The proceedings in the SAT were commenced by the Medical Board of Australia (Board) and sought orders that Dr Lal had behaved in a way that constituted professional misconduct. The grounds for the orders included:

  • a breach of professional boundaries
  • sexual misconduct
  • making misleading entries in clinical notes
  • making false statements to the Australian Health Practitioner Regulation Agency (AHPRA) and the Board
  • making false statements to the police in relation to a criminal complaint against the patient, and
  • making false statements for the purposes of the criminal prosecution of the patient.

The agreed facts in relation to the category of sexual misconduct were restricted to an act of oral sexual misconduct upon Dr Lal by the patient and did not include the allegations made by the Board that Dr Lal had embraced the patient and made other untoward advances of a physically sexual nature. However, the SAT made a finding that Dr Lal’s sexual misconduct was more serious because it involved penetration and this was to be regarded more seriously than instances of sexual misconduct not involving sexual penetration.

The Court of Appeal found that the SAT had made findings of fact that were adverse to Dr Lal and had relied on those findings of fact. However, Dr Lal had no notice that findings of that kind were to be made and no opportunity to present evidence in relation to them.

In conclusion, the Court of Appeal found Dr Lal had been denied procedural fairness and that leave to appeal should be granted, the decision of the SAT set aside and the matter remitted to a differently constituted SAT for redetermination.

The Court of Appeal was especially critical of the SAT’s reasoning, which contained large amounts of text lifted from the Board’s written submissions without any attribution. At [35] the Court of Appeal noted that “the preparation of reasons by applying ‘scissors and paste’ to written submissions presented by the successful party, without acknowledging that process, is bound to cause the unsuccessful party, and the community, to entertain a real doubt as to whether the decision-maker has properly engaged with the case presented on behalf of the unsuccessful party.”

This decision is a reminder to parties that an agreed statement of facts should include all information that is to be relied upon in the proceedings. If facts are agreed, courts should not go beyond them without giving the parties notice.

Return To Top
Related articles
Media room