The latest privacy breach at Canberra Health Services is not the first time patient records have got into the wrong hands.
Subscribe now for unlimited access.
$0/
(min cost $0)
or signup to continue reading
A victim of a previous unauthorised disclosure has said she is "outraged" that, in her view, the right lessons have not been learnt.
In 2004, Kath Crawford was a patient suffering from post-natal depression. But she and her family found themselves in a nasty dispute with a nurse who was not involved in her treatment.
The nurse, who had no authority to access her health records, used the information to make threatening phone calls to her and other members of her family.
"She had my medical records and she wanted to hurt me," Ms Crawford said this week.
"This was a woman who had a personal vendetta and who used the weaknesses in the electronic records management system to stalk and harass me."
When it happened, she brought a case against ACT Health. After mediation, a settlement was reached. There is a confidentiality clause and under its terms, Ms Crawford cannot reveal how much compensation she received. She built a sunroom and deck at her home in Flynn afterwards.
Patients' data was kept on what was called the MHAGIC system (from Mental Health Assessment Generation Information Collection).
The nurse could get into that system but was only allowed to in the interests of a patient's care. Permission was only in very limited circumstances. Patient records were not for general perusal by anybody who worked for ACT Health.
A confidential official report into the affair concluded: "It appears that some staff do not understand the difference between being provided access and the authority to use that access.
"It is important for staff to understand the reason for their level of access and that they only look at records they need to in order to do the task."
It is not known how similar the current breach of patient confidentiality is to Ms Crawford's case because Canberra Health Services is refusing to make public what happened.
But the previous victim of a privacy breach was angry when she saw Canberra Health Services had admitted there had been another data breach - and that it was in the same area of mental health.
READ MORE:
"When I heard about the records breach, I thought 'That's bad. They should know better'," she said.
"And when I heard it was the mental health records - the records of the most vulnerable patients - my outrage turned to fury."
She took her case to the ACT's Community and Health Services Complaints Commissioner which has since become part of the territory's Human Rights Commission.
It found in her favour. No criminal proceedings were brought.
There is a raft of law which may apply in the current case of patients' records being disclosed to unauthorised people, according to one of the country's leading lawyers specialising in privacy law.
The ACT has its own law - the Health Records (Privacy and Access) Act, 1997 which has penalties of $5,500 or six months in prison for each breach. If there are multiple breaches over many years, that sum could become very large.
But the lawyer, Toby Patten of the Baker McKenzie law firm, says stiff penalties are very unusual in such cases.
"Australia is not a jurisdiction where we've seen massive penalties in the past. I've never heard of anyone going to prison," he said.
There is a raft of other laws about privacy. There is, for example, the federal Privacy Act with very high penalties if a GP or a nurse discloses private details - but, again, no severe penalties for breaching it have been made.
It's true GPs or nurses who disclose confidential patient information could be struck off - but that does not seem to apply in the current ACT situation (though, again, we can't be sure because of ACT government secrecy about what's happened).
While the criminal law may not be the best legal way forward, civil action may be more fruitful for patients whose details have been disclosed.
Twenty years after her own case, Kath Crawford still doesn't trust the system. "I still have a mistrust of their ability to protect my information."
When she is asked to sign disclaimers at the doctor's, she said she was very reluctant to sign.
The lawyer, Toby Patten, said: "There's no individual right to privacy in Australia."
We've made it a whole lot easier for you to have your say. Our new comment platform requires only one log-in to access articles and to join the discussion on The Canberra Times website. Find out how to register so you can enjoy civil, friendly and engaging discussions. See our moderation policy here.