ACC call centre workers shared details of people's injuries and mocked them on Snapchat, RNZ can reveal.
The group of more than a dozen employees working at ACC's contact centre in Hamilton took photos of clients' injury descriptions displayed on their work screens and posted the images to a private Snapchat group called "ACC Whores".
One image included the name, contact details and injury suffered by an athlete who has represented New Zealand on the world stage. Another detailed the injuries of a sensitive claimant who ended up in hospital after they tried to end their life.
"It's really disgusting to be honest. They thought it was funny, but it's a breach of privacy," a member of the Snapchat group told RNZ.
They decided to speak out after RNZ reported claimants and advocates were concerned about the way the agency handled sensitive information and ACC responded with assurances.
"When I read ACC's comments that it takes privacy seriously, I just knew I had to do something."
Earlier this month RNZ reported the case of a man who was horrified to discover more than 90 ACC staff had accessed an old sensitive claim file more than 350 times since he'd closed it. The man believed his privacy and rights had been breached, but ACC said every login was justified.
The call centre whistleblower said unethical access to claimants' medical records was widespread among her colleagues. Staff routinely went into files they did not need to, even though they were told not to, the employee said.
Staff at the contact centre frequently read personal medical information about claimants even though they were "warned not to in training", and no one checked to see if rules were followed.
"I know so many people who do it and they've never gotten in trouble."
Call centre managers were aware of the behaviour but did not do anything to stop it, and one manager was even a member of the Snapchat group.
Several of the images posted to the Snapchat group, and seen by RNZ, poked fun at people who had injured themselves while drunk or intoxicated by drugs.
In one, an employee mocked a claimant who was hurt after taking "200 ampules of nitrous at a party". They posted the details with a silly face emoji and the comment: "Girl really went all out".
The whistleblower said privacy training for call centre staff was inadequate despite all of them having access to sensitive claims information.
Contrary to what many believed there were no special measures to protect medical records belonging to sensitive claims, and once the identity of the caller was verified, call centre staff could see all their claims and view all their medical records, they said.
"All we have to do is go into the documents tab and literally everything is sitting in there. And if we wanted to click on every individual one, and just open it up, there's no passwords to get into.
"We're told to ask for their full name, including middle name, their date of birth, their address on file, and their phone number and then that's security done."
Colleagues' behaviour and the general lack of security had put the employee off lodging their own sensitive claim, because they knew how easily staff could access the information.
"All of my providers that I've been talking to, therapists and things, they say, you know, it's confidential information. But I work for ACC, so I know it's not."
They believed some staff also acted unethically. "Someone on my team that I work with occasionally Facebook searches the people that she talks to ... she just gets curious, she thinks they have a hot voice."
ACC's Code of Conduct says employees must "take all reasonable steps to protect the privacy of our clients" and "be responsible for the security and confidentiality of all information that you deal with during your employment with ACC".
The misuse or sharing of client information is deemed serious misconduct, the Code says.
ACC acting chief executive Mike Tully said he was "deeply disappointed" that the situation had arisen.
"This behaviour is not tolerated at all at ACC. Since being informed we have moved swiftly and stood down 12 staff and begun an immediate investigation into this matter."
The internal investigation would determine whether there were more staff involved and if more claimants, other than the athlete, had had their privacy breached, Tully said.
The athlete, whose name, email and injuries were shared, had been contacted.
"Naturally they were surprised and had some questions of us. We've been able to answer those and we shared with the person what was disclosed and they are satisfied with our response to date."
He admitted the athlete's privacy had been beached and the employees who shared claimants' injuries breached the agency's Code of Conduct. As part of the investigation, ACC was working to identify the claimants whose injuries, but not names, were shared by the Snapchat group.
Tully did not think the behaviour was widespread among ACC employees.
"I'm unaware of that. It's deeply upsetting that a small number of our staff bring our organisation into disrepute."
Sensitive claims access
The Snapchat privacy breach comes as ACC Minister Carmel Sepuloni revealed 1414 staff at the agency had access to tens of thousands of sensitive claim files.
The figure was revealed in response to Parliamentary written questions from ACT MP Brooke van Velden.
"I am advised that access to sensitive claims is provided only to ACC staff who absolutely require it in order to complete the functions of their role," Sepuloni said.
"Approximately 27,000 sensitive claims are actively managed by ACC each year, and this number continues to increase as demand for support increases. It is critical that ACC has enough appropriately trained staff with access to the right information available to manage all aspects of a survivor's claim in order to provide them with the support they require.
"I am assured that ACC takes the privacy of the information it holds very seriously and all information provided to ACC by clients and providers is handled with care and respect," Sepuloni said.
"ACC is working to determine whether it needs to change or improve its systems and processes with respect to access to sensitive claims information. How ACC collects, secures, uses and shares information is governed by the Privacy Act and the Health Information Privacy Code."
Access to sensitive claims files should be severely restricted to a small number of staff, van Velden said.
"I do not see how over 1400 people in ACC need access to information that provides ongoing trauma to people who have reached out to the Sensitive Claims Unit. A smaller group of people will find it much easier to keep people's information private."
She said the "despicable" behaviour of call centre staff sharing private and sensitive information amongst themselves was proof change is needed. "There cannot be a good reason why so many people need to have access to that information."