DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

NZ privacy commissioner finds that physician properly mitigated harm following a breach

Posted on September 18, 2013 by Dissent

Case Note 248601 [2013] NZ PrivCmr 4 : Medical practice mitigates future harm after data breach

A doctor working in a suburban medical practice had his car broken into and bag stolen. The bag contained a USB stick holding the personal information of a number of patients, including the complainant. The data detailed the complainant’s first and last names.  Also included were details of their prescribed drugs and medical diagnosis.

One of the doctor’s patients complained to us.

The medical practice acted quickly and fulfilled all four key steps an agency should follow in response to a privacy breach. These steps aim to contain the breach and reduce harm to the subjects of the breach.

Breach containment and preliminary assessment

Following a data breach, an agency must take immediate steps to contain or limit it. This includes designating an appropriate individual to lead the initial investigation and determine who needs to be notified.

The medical practice received news of the theft the following day and the manager immediately made plans to contact the affected individuals. Our complainant was informed of the breach by his general practitioner and offered a meeting with the manager to discuss the situation.

Evaluation of the risks associated with the breach

An appropriate evaluation includes considering what personal information was involved, establishing the cause and extent of the breach, considering who was affected by the breach and whether those affected might be harmed.

The manager noted that the only identifying details in this case were the complainant’s first and last name. He had frequently changed address in recent years and did not have a listed telephone number.  The manager believed the main harm was that the complainant may lose trust in the medical practice. However, the complainant had continued to use the agency’s services since the breach.

Notification

The patients were notified as soon as reasonably possible. The manager of the medical practice met the complainant to discuss the theft and apologised for the loss of his personal information.

Prevention

As a result of the breach, the medical practice took steps to increase the security of any data that was to leave the premises. A review was conducted of their patient information security policy.  Immediate changes were drafted for sign off by the practice’s Board.

The medical practice purchased new encrypted USB sticks immediately after the data breach, to be used where data is to leave the premises. An active register containing a list of the staff who are to use these keys was implemented and an agreement drawn up for staff to sign, acknowledging that they are responsible for the safety of the information.

Staff were advised both verbally and electronically of the new process and the medical practice ensured there was a transparent communication process with the staff about this incident.

The complainant sought damages as a result of the breach.  However we were not satisfied that he suffered harm that warranted damages.

We also considered the medical practice had taken appropriate steps in the circumstances.

See our privacy breach guidelines at:  http://privacy.org.nz/news-and-publications/guidance-notes/privacy-breach-guidelines-2/

 

Category: Health Data

Post navigation

← NZ insurance firm settles over privacy breach
UK: Newcastle Citizen’s Advice Bureau data breach concern →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • WestJet investigates cyberattack disrupting internal systems
  • Plastic surgeons often store nude photos of patients with their identity information. When would we call that “negligent?”
  • India: Servers of two city hospitals hacked; police register FIR
  • Ph: Coop Hospital confirms probe into reported cyberattack
  • Slapped wrists for Financial Conduct Authority staff who emailed work data home
  • School Districts Unaware BoardDocs Software Published Their Private Files
  • A guilty plea in the PowerSchool case still leaves unanswered questions
  • Brussels Parliament hit by cyber-attack
  • Sweden under cyberattack: Prime minister sounds the alarm
  • Former CIA Analyst Sentenced to Over Three Years in Prison for Unlawfully Transmitting Top Secret National Defense Information

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Anne Wojcicki Wins Bidding for 23andMe
  • Would you — or wouldn’t you?
  • New York passes a bill to prevent AI-fueled disasters
  • Synthetic Data and the Illusion of Privacy: Legal Risks of Using De-Identified AI Training Sets
  • States sue to block the sale of genetic data collected by DNA testing company 23andMe
  • AI tools collect and store data about you from all your devices – here’s how to be aware of what you’re revealing
  • 23andMe Privacy Ombudsman Urges User Consent Pre-Data Sale

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.