Four Information Technology for health care companies warned that a primary health organization (PHO) puts medical information at risk from 800,000 patients, according to expert reports on enterprise data protection services.
On 17 July, HealthLink, Medtech Global, MyPractice and Best Practice Software, based in New Zealand and Australia sent a letter to the New Zealand Privacy Commissioner. In the letter, they explain having discovered in last June that the PHO ProCare Health had been storing hundreds of thousands of patient data, including names, addresses, financial information, clinical data and medication histories in a database called “Clinical Intelligence System”.
The four companies recognize that they don’t know the range of data collection, but they stated it was unacceptable to store so much data in a single place. They clarified that data storage was particularly worrying because most patients and some general medics seem to know nothing about the ProCare database, according to reports of experts in enterprise data protection services. Therefore, the companies argued that, in the less bad case, ProCare Health could have undermined patients’ confidence in the public health system and, in the worst cases, violated the New Zealand Health Information Privacy Code.
As the companies explain in their letter, “at a time when attitudes towards the patient’s privacy change in favor of providing greater protection to the user, here is an organization that does not have a direct relationship with the patient and asks doctors to help accumulate all records of patients they may have access to”.
On the other hand, ProCare Health denies any breaches. The company stated that it depends on the consent to collect the information they need from the patients when they visit a doctor. The clinical director, Dr. Allan Moffitt, mentioned in a statement that ProCare Health makes great efforts to protect patient information once it is collected.
“ProCare Health has strict procedures to ensure that the patient’s individual privacy is protected and data is used to improve health care provision and planning. ProCare takes the attention of patients and their records really seriously, and has very strong frameworks and processes to ensure that all legal obligations are fulfilled”, the company statement mentions.
A Privacy Commissioner’s spokesman said the office received the letter from the four companies and would review the case to determine if subsequent legal actions are justified, as reported by experts in enterprise data protection services from the International Institute of Cyber Security.
Thinking about digital threats, health care organizations must ensure that they have taken appropriate measures to protect digital health records of patients.