Sydney hospital gave sexual assault victim’s medical records to the wrong patient

Sydney-based Ryde Hospital has landed itself in serious trouble after giving the medical records of a sexual assault victim to another patient.

The patient who received the records was discharged from the hospital last week after suffering a stomach bug. As she left, hospital staff gave her documents relating to her visit, but when she got home, she realised they pertained to somebody else.

The woman’s mother, Daphne Drew, told 9News that the documents included another person’s name, address, telephone number, the reason they were in hospital and which doctor they saw.

How did it happen?

It’s easy to get caught up in the fact that breached data belonged to a sexual assault victim – and, indeed, Ryde Hospital could hardly have hand-picked a more delicate record to mishandle. However, the focus should be on how the breach occurred and the hospital’s response.

For the patient to be given the wrong documents, an employee must have handed them to her without first checking her identity. When Ms Drew called the hospital to alert them of the mistake, staff told her to “disregard” the papers.

“[They said] don’t worry about them. That was the point where I felt that’s not right,” Ms Drew said.

In other words, there was no apology or acceptance that this was a serious incident. It also means that the hospital either wasn’t aware that it had made a mistake, or did know but hadn’t done anything about it.

Ryde Hospital has since confirmed that it’s investigating the breach, and has apologised to both patients involved.

Addressing insider error

Organisations’ employees are a serious security threat, with a recent OAIC (Office of the Australian Information Commissioner) report finding that 36% of all data breaches in Australia are caused by human error.

This is frustrating, because insider error is one of the simplest types of data breach to prevent, yet little is being done about it. Organisations can spend huge amounts of money keeping criminal hackers out of their systems, but it only takes a few policy changes to stop basic mistakes such as the one at Ryde Hospital.

You can find out exactly what you need to stay secure by following the best practices described in ISO 27001, the international standard for information security. The Standard will help you address security at all levels, but its focus on well-designed policies and regular staff awareness courses makes it ideal for tackling human error.

Although you will need to implement and certify to ISO 27001 to get the most out the Standard, we understand that this won’t always be possible – at least immediately. The implementation project can take anywhere between three months to a year, and will require a lot of planning. However, you can still give your staff valuable insights into the Standard by enrolling them on our Information Security & ISO27001 Staff Awareness E-learning Course.

This course explains the importance of effective information security and provides essential guidance on the things staff should do to stay secure.