A hospital is being investigated for breaching the privacy of dozens of patients after medical records revealing a “swollen penis” and mental illnesses among other things, were found in a Coburg street.
The Australian Information and Privacy Commissioner Timothy Pilgrim is investigating how the records of 31 patients were removed from the John Fawkner Private Hospital in Melbourne’s north last month.
John Fawkner Private Hospital Photo: Chris Hopkins
The documents included queries about whether a patient should be resuscitated if they have a cardiac arrest, and notes about a “swollen penis”, depression, weight loss surgery, breast reduction surgery, dementia and incontinence.
The five pages of hand-over notes included the patients’ names, ages, diagnoses, treatment plans, medications, how many days they’d been in hospital and whether they lived alone.
Fairfax Media has seen the records with the names blacked out after a resident who lives near the hospital sent them to to Victoria’s Health Complaints Commissioner and the the Privacy Commissioner, both of whom investigate privacy breaches.
The documents found in a gutter near the Healthscope hospital also revealed patients’ diagnoses such as prostate cancer, opioid addiction and Parkinson’s Disease.
A resident who sent the documents to the authorities said she was disgusted with the privacy breach. The woman who wants to remain anonymous contacted the Victorian Health Complaints Commission and Privacy Commissioner and was shocked to receive no guarantee the hospital would tell the patients about the breach.
“Will these people ever know that this happened to them? I doubt it,” she said.
The authorities confirmed there was no mandatory requirement for the patients to be notified about the incident and a spokeswoman for Healthscope declined to say whether it would contact the patients involved.
She issued a statement saying the hospital was working with the Privacy Commissioner as part of an ongoing investigation, and declined to say what, if anything, would be done about it.
Victoria’s new Health Complaints Commissioner Karen Cusack would not comment on this incident but said there was no legislation or guidelines guaranteeing patients would be notified.
When it hears of a potential data breach, Ms Cusack said her office contacts the organisation responsible for the records and requests an explanation.
“We will want to know about how it happened, what they’re doing about it and, importantly, what steps are in place to stop it happening again,” she said.
“In most cases we would recommend organisations contact those whose data has been breached and can advise them on how best to do so if required.”
Mr Pilgrim said he was working with Healthscope and takes breaches of health information “extremely seriously”.
“When there is a real risk of serious harm organisations are encouraged to notify affected individuals,” he said, without defining “serious harm”.
It comes after the Australian Government last month established a Notifiable Data Breaches scheme to ensure people are notified about serious data breaches. The scheme will apply to all businesses, government agencies and other organisations covered by the Privacy Act 1988 and will commence on February 23, 2018.