Medical records discovered in garden shed after robbery

A Melbourne medical centre is to blame for a serious privacy breach last year when the highly sensitive health records of up 960 former patients were compromised after the abandoned garden shed they were stored inside was broken into.

Australian Privacy Commissioner Timothy Pilgrim today ruled that the Pound Road Medical Centre in Narre Warren South failed in its duty to secure the personal information of its customers and to identify and destroy data it no longer needed.

However the business will narrowly avoid fines that could reach up to $1.7 million because the breach took place before refreshed privacy legislation came into effect in March this year.

The paper documents were in the process of being scanned and uploaded to an electronic filing system called ‘Medical Director’ prior to the medical centre moving premises in April 2011 – at which point they were moved to the back shed to make way for renovations.

The business operators claim that they were not aware that the unsecured boxes of documents moved to the shed contained health records, but Privacy Commissioner Tim Pilgrim said he was not convinced by this excuse.

“Physical security of hard copy documents is just as important as digital security. There is no point in converting paper records to a secure digital system, and then leaving the paper files unsecured,” he said in a statement.

“I can’t think of any circumstances in which it would be reasonable to store health records, or any sensitive information, in an unsecure temporary structure such as a garden shed."

The records included names, addresses, birth dates plus medicare details, treatments information and payment records for affected patients.

Pilgrim’s official report said it was an “exacerbating factor” that the shed was not located at the current business premises, which would have at least allowed for monitoring of the structure.

It also pointed out that most of the records were at least 11 years old and related to individuals that were no longer patients of the practice, meaning that they should have been identified as unrequired records and destroyed under the privacy principles.

The Pound Road Medical Centre made no attempt to notify individuals affected or the Office of the Australian Information Commission about the break in when it took place. The OAIC said it found out about the incident through the press – as it did with the last adverse finding it handed down in late June.

In the absence of mandatory data breach notification laws, Pilgrim encouraged organisations to be more upfront about security incidents.

Upon the OAIC’s advice, the medical centre is implementing a number of changes to the ways it stores and manages records, including annual reviews of which records it still needs and which should be destroyed.