Four healthcare IT companies warned that a primary health organization (PHO) put up to 800,000 patients' medical data at risk.
On 17 July, New Zealand and Australian healthcare companies HealthLink, Medtech Global, myPractice and Best Practice Software New Zealand sent a letter to New Zealand's Privacy Commissioner. In it, they explained how they learned in June that ProCare Health had been storing hundreds of thousands of patients' information including names, addresses, financial information, clinical data and medication histories in a database called "Clinical Intelligence System." The four companies said they didn't know the extent of the data collection but asserted it was unacceptable to store so much data in a single location. They clarified the data storage was particularly troubling because most patients and some general practitioners (GPs) "seemed unaware of the ProCare database," as reported The New Zealand Herald. The companies therefore argued that ProCare Health could at best have undermined patients' trust in the public health system and at worse breached NZ Health Information Privacy Code.
As they explained in their letter: "At a time when attitudes towards patient privacy are shifting in favour of giving greater protections to the individual, here is an organisation that has no direct patient relationship asking doctors to help it amass all the patient records it can get access to."
For its part, ProCare Health said it did nothing wrong. The PHO noted that it relies on consent to collect information it needs to function from its patients when they visit their doctor. Clinical director Dr. Allan Moffitt told Stuff in a statement that ProCare Health takes great efforts to protect patients' information once it has collected it:
Patients should understand from the enrolment form that identifiable information is shared with the PHO for the purposes stated. The PHO has strict procedures to ensure that individual patient privacy is protected and uses the data for improving healthcare provision and planning.... ProCare takes very seriously the care of both patients and their records and has very robust frameworks and processes in place to ensure all legislation obligations are met.
A spokesperson for the Privacy Commissioner said the office had received the four healthcare IT companies' letter and would be reviewing the case to determine if further action was warranted. Given the types of digital threats confronting them, healthcare organizations should make sure they've taken appropriate steps to secure patients' electronic health records. Here are some recommendations. Healthcare organizations should also consider purchasing a solution that provides comprehensive digital security protection.
