ProCare Health accused of storing up to 800K patients’ sensitive records without express consent
- The information was allegedly stored in a database called "Clinical Intelligence System" without patients' consent.
- The stored data included names, addresses, financial information, clinical data and medication history.
New Zealand-based ProCare Health, one of the largest networks of doctors and nurses in the country, has been accused of storing personally identifiable information (PII) and sensitive details of hundreds of thousands of patients patients without their express knowledge or consent.
Four healthcare IT firms -HealthLink, Medtech Global, myPractice and Best Practice Software New Zealand - claimed nearly 800,000 patients’ data are at risk. The firms said ProCare Health has been storing a trove of patient information such as names, addresses, financial information, clinical data and medication histories in a database named “Clinical Intelligence System.”
In a letter submitted to New Zealand’s Privacy Commissioner, the four companies claimed most patients “seemed unaware of the ProCare database” - a potential breach of New Zealand’s Health Information Privacy Code.
“At a time when attitudes towards patient privacy are shifting in favor of giving greater protections to the individual, here is an organization that has no direct patient relationship asking doctors to help it amass all the patient records it can get access to,” the letter read.
Although the IT companies did not they were not aware of how widespread the data collection was, they deemed it unacceptable to hold that much sensitive information in one place.
ProCare Health, on the other hand, has hit back against the IT companies’ claims saying they only collect information with patient consent. It also stated there are “robust” frameworks in place to ensure patient privacy is safeguarded and legal obligations are met.
“Patients should understand from the enrollment form that identifiable information is shared with the [primary health organization] (PHO) for the purposes stated,” ProCare Health said in a statement. “The PHO has strict procedures to ensure that individual patient privacy is protected and uses the data for improving healthcare provision and planning…ProCare takes very seriously the care of both patients and their records and has very robust frameworks and processes in place to ensure all legislation obligations are met.”
ProCare Health’s clinical director Allan Moffitt also said it was “irresponsible” on the part of the four companies to raise these concerns publicly without consulting the company first.
“As a PHO ProCare could not function without collecting this data and as an organization owned and governed by clinicians, we take very seriously our obligations to privacy and security of information,” Allan Moffitt said.
A spokesperson for the Privacy Commissioner said the letter will be reviewed to determine if further action is required.