Half a million ballots uncounted - Luxon may need NZ First, 30% drop in literacy support via Reading Recovery in last 3 years and owners are being urged to have a pet plan as Guy Fawkes rolls around. Video / NZ Herald / AP / Getty
After Cheryl Horrell beat cancer she would have a recurring nightmare that people would demand to see her breast prosthesis and hand it around for examination.
So when she received a flyer from a company in her mailbox advertising products for people who’d had breast cancer she felt as if her nightmares were coming true.
In a decision released this week the Human Rights Review Tribunal found the Cancer Society’s database containing breast cancer survivor’s personal information was “clandestinely” accessed and the information used in a targeted pamphlet drop by another company.
That company, Naturalwear, says it came by the information honestly and it only sought to make contact with women who might need their services once the Cancer Society stopped providing breast prostheses in the Canterbury region.
For Horrell, who purchased a number of breast prostheses through the Cancer Society after having a mastectomy in her 30s, that pamphlet drop dredged up painful memories of a time in her life when she thought she was going to die.
“For this company to then use mine and other women’s information as a marketing opportunity? It made me feel sick,” the now 72-year-old told NZME.
“I feel very strongly about people taking information they’re not entitled to … and about my privacy.”
She took her fight to the tribunal in 2021 for what she sees as an egregious breach of her privacy and an attempt by a company to exploit her illness for their own profit.
Now the tribunal has ordered Naturalwear and its founder, Richard Brady, pay her $10,000 in reparation for using her health information for a purpose other than which it was collected.
During the hearing Horrell argued Naturalwear had wrongly collected her information in two separate ways - firstly through her prosthesis warranty card and secondly via information taken from the Society’s database which she claimed had been unlawfully acquired.
Brady accepted his company used Horell’s information in breach of the Health Information Privacy Code. However, he said the information came from her warranty card, which had been sent to Medivex, another prosthesis company he owned, by the Cancer Society - not from its database.
The tribunal stopped short of ruling exactly how the data was obtained but said it was “highly sensitive information that was clearly collected clandestinely without the knowledge of the Cancer Society from which it was uplifted”.
“In our view, there is evidence which demonstrates that some information was taken from the Cancer Society database.”
It also said that while it was clear that Horrell’s and other cancer survivors’ personal information could only have come from the database it couldn’t say with certainty that the entire database of some 900 women had been leaked.
In a statement provided to NZME, Brady said his companies had always acknowledged and accepted that the flyers should not have been sent.
“Our intent was to inform customers where they could now go to obtain the same products and services following the discontinuation of the service by the Cancer Society.”
Brady said he immediately apologised to Horrell and other affected women and destroyed their information.
He maintained that the women’s information had been sent to Naturalwear and Medivex by the Cancer Society.
“I made an error by not obtaining prior permission, before sending out an info flyer to a small number of ladies to inform them as to where they could now go and purchase the products,” he said.
Hearing
Horrell said she received a hand-delivered flyer from Naturalwear in 2018 that was addressed to her directly and offered a free breast prosthesis fitting service.
She called the listed number and asked the consultant how the company knew she had breast cancer. She was referred up to Naturalwear’s head office who told her that the issue had already been sorted.
However, the Cancer Society told her that a former employee had taken a copy of its breast cancer records with her and the Privacy Commissioner had been notified of a potential breach.
Its former chief executive of its Canterbury-West Coast division, Elisabeth Chesterman, told the tribunal she had concerns its database had been acquired and used by Naturalwear.
Former Cancer Society CEO of its Canterbury-West Coast division Elisabeth Chesterman gave evidence at the tribunal hearing in 2021. Photo / Supplied
Chesterman said that her branch of the Cancer Society finished its breast prosthesis retail and fitting service in 2016 and prior to that there had been numerous requests from Brady for it to share its patient database with his company - which was firmly declined.
Once that service ended, its prosthesis fitting consultant for the area left the Cancer Society and joined up with Naturalwear. The tribunal stopped short of explicitly blaming the employee for the data breach.
Chesterman said that a “dummy” or fake name had also been added to the database, one which belonged to a Cancer Society employee. This employee received a letter advertising Naturalwear’s products and services.
Errors in the way an address had been recorded in the Society’s database had been repeated by Naturalwear which Chesterman said also pointed to the database having been leaked.
She said she received numerous calls from other women who also received Naturalwear’s pamphlet and the Cancer Society alerted the offices of the Privacy and Health and Disability Commissioners, as well as the Ministry of Health of the suspected breach.
However, they didn’t take the matter to the courts due to the cost involved and from a desire not to re-traumatise its clients.
Brady’s evidence was that client information came from warranty cards issued to Cancer Society clients’ prostheses. He said his company Medivex held around 120 of these and it was to those women to whom the pamphlet was sent, not the nearly 900 names on the database - which he says he didn’t have access to.
He said following discussions with the Cancer Society he shredded those warranty cards and removed other patient information from both company’s databases.
Richard Brady, owner of Naturalwear, said the patient information had come from warranty cards, not the Cancer Society database. Photo / LinkedIn
Finding
The tribunal said it was possible that Medivex could have been sent warranty cards in error and that it was clear that Horrell’s card had come into the company’s possession - though it couldn’t rule exactly by which route it took.
It rejected Brady’s claim that the personal information had been obtained solely through warranty cards for some 120 women’s prosthetics and said that Horrell’s and an unknown number of other women’s information had evidently been sourced from the Cancer Society’s database.
“We also stop short of finding who was responsible for collecting Ms Horrell’s health information from the Cancer Society database and stop short of finding that Mr Brady was aware that information from that database had been used by Naturalwear for marketing,” the tribunal added.
It did find that using Horrell’s information, obtained from the Cancer Society database and from her warranty card, was used in breach of the Health Information Privacy Code.
“In this case, Ms Horrell neither knew her health information was being collected by Naturalwear nor did she consent to it.”
The tribunal ordered that the company pay Horrell $10,000 in compensation but as she represented herself wasn’t entitled to a contribution towards her legal costs.
“Based on the evidence we had, it is our view that the principal emotional harm experienced by Ms Horrell was one of outrage and anger,” the tribunal said.
“Put simply, Ms Horrell was incensed that Naturalwear would try to make money out of her misfortune, that it held her warranty card when it was not entitled to have it, and that it used information from an organisation such as the Cancer Society for commercial gain.”
The Cancer Society’s chief executive for the Canterbury and West Coast, Nicola Coom, said in a statement that the society took the privacy of the families it supports seriously and reviews its systems regularly.
Jeremy Wilkinson is an Open Justice reporter based in Manawatū covering courts and justice issues with an interest in tribunals. He has been a journalist for nearly a decade and has worked for NZME since 2022.
