This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

Canberra Health Services

Summary

Canberra Health Services disclosed on 6 March 2023 that staff had illegally shared the clinical records of 13 mental health patients with external parties over a period of years without patient consent. The patient records were "deliberately sent" to the Australian Nursing and Midwifery Federation's ACT branch as well as other private email accounts. One public servant was sacked and two others stood down, with the ACT Police and Integrity Commission called in to investigate the breach of the Health Records Privacy and Access Act 1997 and the Privacy Act 1988.

What Happened

In early February 2023, Canberra Health Services discovered a potential breach of patient privacy. An audit was undertaken to determine the breadth of the breach, which uncovered significant and sustained breaches of privacy legislation occurring over a period of years.

The investigation found that whole clinical records, including records scanned from hard copies, were deliberately emailed to external parties without patient consent. The recipients included the Australian Nursing and Midwifery Federation's (ANMF) ACT branch and other private email accounts.

Patients began to be informed about the data breach on 6 March, the same day that CHS CEO Dave Peffer sent an all-staff email to approximately 8,000 Canberra Health Services employees notifying them of the situation.

Impact on Individuals

Thirteen mental health patients had their complete clinical records shared externally without their consent over a period of years. The exposure of mental health records represents one of the most sensitive privacy violations possible, as these records typically contain deeply personal information about diagnoses, treatments, medications, family history, trauma, and other highly confidential matters.

Mental health patients are particularly vulnerable to the harms of privacy breaches, as disclosure of their mental health status can lead to stigmatisation, discrimination in employment or insurance, damage to personal relationships, and significant psychological distress. The knowledge that their most private medical information was shared externally over an extended period likely caused significant harm and erosion of trust in the healthcare system.

Organisational Response

Canberra Health Services took immediate disciplinary action, with one public servant sacked and two others stood down over the matter. The organisation called in both the ACT Police and the ACT Integrity Commission to investigate the unauthorized disclosures.

Mental Health Minister Emma Davidson named the ANMF ACT branch as one of the recipients of the patient records, though the records were also shared with other private email accounts whose recipients remain unknown.

The ANMF ACT branch secretary Matthew Daniel defended the disclosure, arguing that it was lawful and reflected a "long standing relationship with Canberra Health Services around the lawful disclosure of personal information when nurses and midwives had specific concerns around patient safety." Daniel stated the disclosures were "underpinned by law" and reflected in CHS's own policy regarding exceptions to providing information without consent.

However, CHS and the ACT Government maintained that the disclosures were illegal breaches of privacy legislation, and the matter has been referred for criminal investigation. The ACT Integrity Commission is considering more than 365,000 emails as part of its investigation into the privacy breach.

The incident highlighted ongoing tensions between healthcare worker concerns about patient safety, union advocacy, and strict privacy protections for sensitive medical records.

Verification Source: View original statement