He had post-traumatic stress disorder and two approved claims with ACC for which he received treatment. The Herald reported on the breach on November 1.
“What systems have you got in place to prevent human errors from occurring?” Boyack asked.
“Because we know that humans do sometimes make errors and it’s not about blaming that individual.”
She added: “It happened a few years ago with sensitive claims. Why is it happening again? And what steps is ACC going to take to ensure that it doesn’t happen again?”
ACC chair Dr Tracey Batten said the agency did take client privacy seriously and acknowledged other breaches.
She may have been referring to a 2022 incident when an ACC staffer breached client privacy after snooping on a sensitive claim.
“Following that privacy breach, we actually put in a very comprehensive set of actions to really try and strengthen and improve our privacy controls,” Batten said.
“We did have an external review commissioned at that time to look at our systems and our processes and we have worked very diligently through all those recommendations to implement the findings of those recommendations.”
But that diligence was not enough to stop this year’s privacy breach.
It was also insufficient to stop another breach late last year when Roger Allison, seeking compensation for post-traumatic stress, had his mobile number added to a case worker’s email signature.
“I’ll pass over to Megan to talk about the specifics of this case,” Batten said, referring to ACC chief executive Megan Main.
“I don’t think you want to go into the specifics of the individual case,” Main said. “I think the question is around, what are we doing to make sure this doesn’t happen again?”
Main added: “I am aware that in this instance, the name and an email address were pasted into correspondence for the client that you’ve mentioned.”
The breach also discussed a medical appointment and psychological therapy for that client.
“It’s human error, but there’s always a system failure behind human error,” Main added.
“And unfortunately, in the design of our systems, we do sometimes have to transfer information from literally one part of the system to another, to be able to move from looking at a claim to communicating with the client.”
But on the breach this year, Main added: “There’s no excuse for that. That was something that shouldn’t have happened.”
Main said steps taken to mitigate risk included a delay on sending an email to give people a chance to check.
“And that has reduced those sort of unfortunate instances where ... someone doesn’t have a chance to check what they’ve sent before they hit send.”
Main said ACC now had daily stand-ups with all customer-facing teams where the importance of those checks had been reinforced.
Boyack also raised issues about case management.
“If you have somebody with two claims, how do you make the decision around the skill level and experience of the case manager assigned to that person when they might have a claim that’s potentially more medical and one that’s more sensitive?” Boyack asked.
“It really is case-by-case for each client and the nature of the claims that they’ve got. Many of our clients have multiple claims with ACC, some historic, some active,” Main said.
It was ideal for a case manager to work with the client to figure out the best way to support them, the chief executive added.
“We do have a dedicated team that deal with sensitive claims and they may not be best placed to deal with, for example, a complex physical injury.”
Main said she appreciated some clients might have distinctly different types of claims.
Maiava: Privacy issues raised
Maiava this evening said it was important to address the privacy breach issue, and the risks of having one under-qualified case manager for a client with multiple claims, especially sensitive claims.
He said he had attempted to raise this with ACC before.
“They didn’t really answer the question.”
He said his own sensitive claim ended up lumped with his other claim.
Maiava said in one instance his PIC (permanent injury compensation) assessment was compromised when an assessor forced him to proceed when he was in distress.
“There’s a lot of inconsistency, a lot of red flags.”
Boyack: More work needed
“I’m still not convinced that ACC’s system is robust enough,” Boyack said this evening.
The MP said she appreciated no system could be perfect, but she found some ACC responses unpersuasive.
She said the move to having one case manager per client was a good move, but more flexibility might be needed for clients with multiple claims and complex cases.
She added: “I’m really grateful to Fuzzy for raising this in the public domain ... I really want to acknowledge his bravery.”
Minister’s response
ACC Associate Minister Melissa Lee last month said it was always concerning to hear about privacy breaches.
Lee said she was told ACC’s service delivery team worked with the Privacy Commissioner and followed up with the relevant staff to ensure they were aware of the correct protocol, to prevent future breaches.
John Weekes has covered courts, crime and politics for publications including the Herald, Herald on Sunday and Dominion Post.
