Thousands of files containing ‘high-risk’ information were received by InterSystems as part of a software system upgrade.
The Northern Territory Government “inadvertently shared” the identifiable information of thousands of patients when transferring medical records to global software vendor InterSystems.
The ABC revealed that between 2018 and 2019, NT Health sent more than 50,000 patient files to the Department of Corporate and Digital Development’s Core Clinical Systems Renewal Program.
The Core Clinical Systems Renewal Program then transferred more than 3000 of these files to InterSystems, 480 of which were identified as being clinically “high risk” in an incident report commissioned by NT Health in 2019.
These files displayed patients’ first and last names in full view and contained a range of “sensitive” or “highly sensitive” information such as records of psychiatric facility visits, terminated pregnancies, stillbirths or electroconvulsive therapy sessions.
The incident report also found that no data governance framework had been set up by NT Health or the CCSRP before the files were transferred.
The report’s authors ruled that the transmission of identifiable patient data was a “systemic issue”, rather than being carried out by a “single malign body”.
InterSystems told The Medical Republic that it was informed that patient records containing identifiable information had been shared with Australian staff by the NT government in August 2019.
“InterSystems took immediate action to locate, quarantine and destroy the data across all of its systems and devices, in accordance with Australian data privacy regulations,” the company said in the statement to The Medical Republic.
Northern Territory Chief Minister Natasha Fyles, who was Health Minister at the time, did not make the incident public, choosing instead to refer the matter to Information Commissioner Peter Shoyer.
“I was advised in a flash brief and also at the chief executive meetings, but I had no role … around decisions [not to tell the public],” she told the ABC.
Following the exposure of the incident, NT Health told media that work has been done to bolster their “internal controls”, reducing the likelihood of another privacy breach.
In a statement, the department also advised that patients themselves were responsible for checking if their records were involved in the transfer.
Individuals whose privacy was breached can contact the department’s information and privacy unit through this form, available on NT Health’s website.
