The recent extraordinary privacy breach by a Sydney cosmetic surgery has highlighted the importance of ensuring that patient information is protected and kept secure, particularly where information is stored online.
The incident occurred at The Cosmetic Institute in Bondi Junction where, according to media reports, before and after photos of patients who had undergone breast augmentation procedures were uploaded to a publicly accessible index of the clinic’s website. The site was automatically storing photographs (including naked photographs) and pre-surgery medical forms that patients were required to submit online.
Ordinarily, this was not accessible to the public, but it is claimed that an IT error caused the information to be publicly available.
The clinic owner is reported to have taken steps to disable the website as soon as he became aware of the privacy breach, however, as is often the case in the online world, the damage was done.
Patients were understandably horrified that their extremely sensitive information was available for the world to see.
The implications of such a breach are significant, both for the practice and for patients of the practice and include:
- The adverse publicity that follows such an event can be extremely damaging to the medical practice, particularly those that provide elective medical procedures in an ultra-competitive environment
- The loss of patients, both existing and prospective, concerned about a privacy breach recurring
- The potential legal claims by patients affected by the privacy breach
- The Privacy Commissioner has wide-ranging powers to issue fines for significant privacy breaches and can require a practice such as The Cosmetic Institute to take remedial action to rectify the breach which will often be expensive
- This would also be a situation envisaged by the forthcoming mandatory breach data notification rules introduced by the privacy legislation and set to come into effect later this year (our April Bulletin contains an excellent summary of the mandatory breach notification requirements).
- Irrespective of the mandatory reporting obligations this would be a situation where it would be highly recommended that steps be taken to notify those patients that may have been affected and also the Privacy Commissioner for advice on managing the privacy breach.
This would all come at significant cost in time, inconvenience and financially to the medical practice.
Even though another person, possibly a third party, may be responsible for the privacy breach, ultimately you as owner or part owner of the practice, are likely to be held responsible.
The Cosmetic Institute’s privacy peril serves as a timely reminder to review your practice’s privacy, particularly those with an online presence where patients may be able to access or complete forms online. The ramifications of a privacy breach are significant and should be avoided at all cost. You can also take steps to protect elements of your financial exposure via appropriate insurance. MIGA is well placed to provide advice in this area and insurance cover for your practice.