Private details of more than 9000 ACC claims – some featuring well-known people – have been emailed to a person who should not have received them, in what is being described as one of the worst privacy breaches in New Zealand history.© 2012 Fairfax NZ News
The details included personal information on nearly 250 clients from ACC's most secure unit – the sensitive claims unit. Full names, the nature of each claim and dispute, and individual claim numbers were among the information revealed.
Senior management at ACC were told three months ago that they had possibly made the biggest privacy breach in New Zealand history, but they have made no effort to investigate or contain the breach with the recipient.
Some of the names in the huge files were public figures, the recipient said, and they also included victims of violent and sexual crimes. Without going through all the files, the recipient recognised at least 10 people on the lists.
The sensitive claims unit is a special unit containing ACC's most sensitive claimants, including sexual abuse and rape victims.
Before the warning to ACC management, ACC's board and former ACC minister Nick Smith were told about systemic failures of the corporation's processes for respecting the privacy rights of claimants.
The board was given an example of a branch medical adviser who covertly communicated with an ACC assessor providing false information to manipulate a medical report in ACC's favour.
A board member was sufficiently alarmed by the allegations to raise the matters at a higher board level, which resulted in a meeting between the recipient of the information and ACC management in December.
At that meeting, the recipient and their advocate told ACC's national manager of recovery independence services, Philip Murch, that ACC had potentially caused the biggest privacy breach in New Zealand's history.
ACC was told that its own staff emailed the recipient sensitive details of thousands of claims, which could result in thousands of complaints because of incompetent privacy management practices. ACC was told it would be horrified to know what material it had fired off.
But in spite of the general warning to the board and the explicit disclosures in December – including a formal written complaint – ACC management have not investigated the privacy breach with the recipient.
The same details also appear to have been sent to more than 50 ACC managers, most of them not from the sensitive claims unit, raising questions about the security of information supplied to the unit.
Personal information held by the unit is not supposed to be divulged to anyone outside the unit without the permission of the client.
The recipient, an ACC client, did not want to be named because they feared being swamped by telephone calls from other ACC clients concerned their details have been distributed nationwide.
The recipient blacked out all personal details of claimants when providing documents to The Dominion Post.
Privacy Commissioner Marie Shroff said if the emailed data involved personal details of thousands of people the breach was likely to be one of New Zealand's most serious.
She expected government agencies to adhere to her office's notification guidelines, which include contacting those whose privacy has been breached, getting the information back, minimising harm and making sure it did not happen again.
New Zealand laws are behind other jurisdictions in not providing for mandatory reporting of data privacy breaches and her office is developing a view on the need for there to be consequences for data breaches.
An ACC spokeswoman said the corporation took all privacy complaints "extremely seriously" but it had received no formal complaint.
ACC had implemented several safeguards to "ensure all client information is protected and managed correctly".
In 2010, ACC apologised after it admitted sending up to 2000 companies private information about workers' accidents that should have gone to other employers.
The information included names, descriptions of accidents, injuries, treatment and ACC payments.
A Petone business owner blew the whistle after she was sent private details about a Whanganui man she did not know, who had suffered a fall.
http://www.stuff.co.nz/national/health/6563083/Privacy-breach-on-9000-ACC-claims
No comments:
Post a Comment