Under the guidelines of the Privacy Commissioner (OAIC) all affected patients were notified immediately it became clear their was a breach of their personal information. The breach notification caused hundreds of patients to call the sports injury centre worried about the extent of personally identifying information, credit card information and patient records (medical history) removed without their authority.
The fraud report to Police outlined a well organised conspiracy, involving the director of Chiropractic, who had worked at the sports injury centre for over 14 years, other ex-employees and prolific fraudster Roselyn Singh, to hack a secured system to steal the patient database and IP. Using fear of losing their jobs and access to their patients as motivation Roselyn Singh and the Chiropractor also convinced most of the remaining professional staff to leave and work at their centres 'Active Muscle & Spine' and 'Sydney City Medical'.
Other employees and effected patients, many of whom had never had a consult with any of the ex-employees involved in the data theft, wondered how they were able to compromise their information given the high level of security used to protect patient files.
The sports injury centre provided concerned patients with an explanation of the security measures used to conceal restricted personal information and a screenshot of their patient file which clearly indicates all identifying information is marked "private" and could not be viewed or accessed by any healthcare professionals. Patients were directed to lodge complaints with the OAIC.
Following is one of the emails sent to concerned patients by the chiropractor primarily involved in organising the data theft:
Active Muscle & Spine
300 George Street
Sydney NSW 2000
Dear [patient name]
Thank you for your email and I apologise for any inconvenience our correspondence may have caused.
I contacted you as our records show you are a patient of [name of healthcare professional], a practitioner of mine when we practised at my previous clinic - [name of Medical Centre - removed by Data Theft].
[Sports Injury Centre] is a Serviced Office and as part of their front desk service, they collected patient contact information on my behalf.
Contact information is collected when a patient makes an initial booking with a practitioner.
I hope this helps to explain your query and if you have any further questions, please don't hesitate to contact me.
Regards
Name [name removed by Data Theft]
Active Muscle & Spine
The email is both misleading and deceptive. The sports injury centre is not a serviced office and at no time had the patients receiving this explanation ever been booked to see any of the ex-employees now working with the author of the email. The patients receiving this email were patients of colleagues who still worked at his ex-employers centre.
The emails author had been employed as a chiropractor to see the sports injury centre's patients and only the patient name, date of birth and patient record (medical history) was available to him and not, as stated by him, patient contact information or any other restricted personal data as indicated in the screenshot of patients files. No information was ever collected on his or any other employees behalf. All forms collecting restricted information are owned by the sports injury centre and are not seen or available to healthcare professionals.
The emails author and someone engaged by him, hacked the restricted area of the patient database misusing the authors login to obtain 'personally identifying information' and remove it without the authority management or patients, compromising the privacy of patients and breaching his contract with the sports injury centre.
After the data and IP theft from the sports injury centre and another competitor medical centre, also located in Sydney's CBD, Roselyn Singh added their business names and addresses to her own Sydney City Medical website to mislead and deceive patients. Patients calling the phone numbers listed beside the addresses were redirected to Active Muscle and Spine and Sydney City Medical. Singh also listed staff of the affected centres to assist in misleading patients searching for their practitioners by name. None of the practitioners listed (image below redacted for privacy) ever worked for Sydney City Medical or Active Muscle and Spine.
The redacted image below indicates how the affected centres and practitioners were listed on Singh's website and also shows Roselyn Singh passing herself off as having a doctorate and other tertiary qualifications.
Complaints to ASIC and Fair Trading for passing off and misleading and deceptive conduct have never been investigated.
Complaints by affected patients to the OAIC were dismissed by an OAIC investigator and the file closed with no action to be taken against Roselyn Singh or any of the ex-employee data thieves despite compelling evidence the thieves had stolen their personal information and lied to the investigator. Dissatisfied complainants were redirected to the Ombudsman by the OAIC investigator.
An extremely worrying circumstance is Roselyn Singh has been reported to Police and the HCCC for identity theft and Medicare Fraud yet Fraud Police, HCCC nor any other authority have so far investigated her. Even an independant Police report indicating Singh should be investigated has not raised an eyebrow with various State or Federal authorities.
Complainants reporting the thefts to NSW Fraud Police were told Roselyn Singh nor her associates could be charged with any crime. Complaints to the Health Minister, The Hon Jillian Skinner, were referred to Section 308H of the Crimes Act and for complainants to lodge a report to Police, HCCC and APHRA. Despite this reference Police have no legislative powers to charge ex-employees who steal customer lists, patient files or IP. Complaints to APHRA and the HCCC went either unanswered or referred complainants to seek civil legal advice. One of the chiropractors involved in the thefts is a member of the executive committee of an association for chiropractors and osteopaths. A manager of another osteopathic association told complainants they could be sued for defamation.
The ex-employees working with Singh and involved in the conspiracy to commit fraud and the systematic theft of thousands of patient's files are not named here due to potential for legal proceedings against them. The series of systematic data thefts, by Singh and these ex-employees followed a similar event at the same centre currently waiting a decision from the Supreme Court.
Ref: Police Fraud Report - Event Number E52384988
Check out the Privacy Act:
ReplyDeleteNote items 1.1, 1.2 1.3(c), 1.3(d), 1.4, 1.5
The National Privacy Principles extracted from the Privacy Act 1988 as at 14 September 2006:
1. Collection
1.1 An organisation must not collect personal information unless the information is necessary for one or more of its functions or activities.
1.2 An organisation must collect personal information only by lawful and fair means and not in an unreasonably intrusive way.
1.3 At or before the time (or, if that is not practicable, as soon as practicable after) an organisation collects personal information about an individual from the individual, the organisation must take reasonable steps to ensure that the individual is aware of:
(a) the identity of the organisation and how to contact it; and
(b) the fact that he or she is able to gain access to the information; and
(c) the purposes for which the information is collected; and
(d) the organisations (or the types of organisations) to which the organisation usually discloses information of that kind; and
(e) any law that requires the particular information to be collected; and
(f) the main consequences (if any) for the individual if all or part of the information is not provided.
1.4 If it is reasonable and practicable to do so, an organisation must collect personal information about an individual only from that individual.
1.5 If an organisation collects personal information about an individual from someone else, it must take reasonable steps to ensure that the individual is or has been made aware of the matters listed in subclause 1.3 except to the extent that making the individual aware of the matters would pose a serious threat to the life or health of any individual.
Thanks Stanley.
DeleteUnfortunately we can't name the persons involved in the data theft above (yet) however for those who may have been effected by this incident or any similar incidents of data theft here is a link to Privacy Complaints Form: https://forms.business.gov.au/aba/oaic/privacy-complaint-/