Allegations 800,000 NZers at risk of medical privacy breach

Four New Zealand and Australasian healthcare IT companies have jointly contacted the Privacy Commissioner to flag the issue. Photo / 123RF

A stoush has erupted over patient medical records, with a claim the privacy of up to 800,000 Auckland patients has been put at risk.

Four New Zealand and Australasian healthcare IT companies, Healthlink, Medtech Global, My Practice, and Best Practice Software New Zealand, have jointly contacted the Privacy Commissioner to flag the issue.

They said primary health organisation (PHO) ProCare Health was putting private information of up to 800,000 Auckland patients into a large database, including patient name, age, address, and all financial, demographic, and clinical information.

ProCare Health runs a network of community-based healthcare services, including GPs, throughout Auckland. It strongly denies patient privacy is being compromised.

The IT companies said they didn't know how widespread the data collection was in New Zealand, but it wasn't acceptable to hold so much identifiable information in one place.

In a joint letter to the Privacy Commissioner, the companies said most patients seemed unaware of the ProCare database, as well as potentially some GPs.

It said it could be in breach of the NZ Health Information Privacy Code.

"At a time when attitudes towards patient privacy are shifting in favour of giving greater protections to the individual, here is an organisation that has no direct patient relationship asking doctors to help it amass all the patient records it can get access to," the letter said.

The companies said they were "seriously concerned" the database would undermine New Zealanders' confidence in public health IT systems and their GPs.

But ProCare is hitting back, saying it only collected information with patient consent, and it had "robust" frameworks to ensure it met legal obligations.

Clinical director Dr Allan Moffitt said they were obligated to collect data to comply with data sharing and reporting requirements.

They had commissioned a full Privacy Impact Assessment to check how personal information was collected and stored, and then had the assessment reviewed by the Privacy Commissioner's office.

"As a PHO ProCare could not function without collecting this data and as an organisation owned and governed by clinicians, we take very seriously our obligations to privacy and security of information.

"Patients should understand from the enrolment form that identifiable information is shared with the PHO for the purposes stated.

"The PHO has strict procedures to ensure that individual patient privacy is protected and uses the data for improving healthcare provision and planning."

Dr Moffitt said the four companies should have had a better understanding of the regulatory and contractual environment which they were delivering software in.

"It could be considered irresponsible to be raising these concerns publicly, particularly when we have not been consulted by those raising the concerns."

The Office of the Privacy Commissioner confirmed they had received the complaint, and documents related to the claims.

A spokesperson said it wouldn't be correct to say an investigation was underway, but they were looking at the information to see if further action was required.

Ministry of Health acting chief technology and digital services officer Michael Dreyer said they were aware of a potential privacy concern, and still considering the next steps.

"We understand it has been raised with the Privacy Commissioner, which is the appropriate agency to consider any potential privacy issues.

"The Ministry works across the health sector to ensure organisations comply with the health information security framework, which aim to ensure people's personal medical data is properly protected."