Sunday 20 January 2013

Get Out of Jail Free Card for Healthcare Workers

There is a duty for care and privacy, for all patients, which needs to be respected by healthcare professionals, the professional associations they are members of, the Australian Health Practitioner Regulation Agency (APRHA), its sub-boards and all health facilities.

Any violation of these considerations, by a health professional, breaches the confidence of patients, APHRA, its sub-boards, professional health associations and employer health facilities.

The community expects more from Government Regulatory Bodies than turning a blind eye to morally bankrupt behaviour by healthcare workers they are commissioned to regulate. Serious breaches of privacy should attract appropriate penalties.

Under recent amendments to the Privacy Act (Privacy Amendment - Enhancing Privacy Protection Bill 2012) data theft by healthcare professionals could be regarded as serious and at the discretion of the Privacy Commissioner the employer (Medical Centre) could be heavily fined yet the data thief goes free.

Currently APHRA and its sub-boards position, on this type of behaviour, falls well short of the expectations of the community and all businesses who employ health professionals.

Theft of restricted data and removal without the authority of patients breaches the Privacy Act apart from any other contractual arrangements between employers and health professionals.

The breach of confidence with the medical centre by a healthcare professional, due to data theft, is a commercial matter and can be dealt with in the civil courts if the ex-employer has the financial means, after the data theft, to sue for loss and damages.

However the immunity from prosecution by Police, currently afforded to employed health professional data thieves, due to lack of legislative powers to prosecute and the blind eye approach by APHRA and its various sub-boards does little to instil confidence in the community. Patients have every right to expect their private and confidential information remain safe and secured as required under the Privacy Act and as indicated in most health facility privacy policies.

A recent data theft event, covered on Data Theft Australia, was a mult-million dollar fraud, effecting patients right to privacy and continuing care, closed down one of Sydney's largest and most advanced sports injury centres and saw experienced staff laid off right on Christmas.

APHRA and The Chiropractic Council of NSW in consultation with the Healthcare Complaints Commission resolved to take no action against the perpetrators of this fraud effecting thousands of patients, health centre employees, the community at large and the business owners. To our knowledge these bodies have never prosecuted a healthcare worker for data-theft and / or breaching the privacy of patients.

Ethically challenged Healthcare workers have effectively been given a get out of jail free card to commit major fraud, steal patient data and remove it from healthcare facilities without patients written authority, a current requirement under the Privacy Act as it relates to patient medical files however is unenforceable in cases of data theft by employees.

This freedom should be a major concern for all patients attending any health facility anywhere in Australia and contradicts the rhetoric propagated recently by the previous Attorney General Nicola Roxon and the Privacy Commissioner Timothy Pilgrim about new privacy powers.

Currently the Privacy Amendment - Enhancing Privacy Protection Bill 2012 does not cover any employed person, who steals data from their employers, yet subjects the employer, at the discretion of the Privacy Commissioner, to potentially huge fines for breaches of privacy while the ex-employee data thief remains immune from prosecution.

Roselyn Singh Conspires with Ex-employees to Steal Patient Files

The theft of patient's personal information, by Sydney City Medical Centre owner Roselyn Singh and ex employees of a long established competitor sports injury centre, had many affected patients complaining about security and Active Muscle & Spine, the business where their information was moved to.

Under the guidelines of the Privacy Commissioner (OAIC) all affected patients were notified immediately it became clear their was a breach of their personal information. The breach notification caused hundreds of patients to call the sports injury centre worried about the extent of personally identifying information, credit card information and patient records (medical history) removed without their authority.

The fraud report to Police outlined a well organised conspiracy, involving the director of Chiropractic, who had worked at the sports injury centre for over 14 years, other ex-employees and prolific fraudster Roselyn Singh, to hack a secured system to steal the patient database and IP. Using fear of losing their jobs and access to their patients as motivation Roselyn Singh and the Chiropractor also convinced most of the remaining professional staff to leave and work at their centres 'Active Muscle & Spine' and 'Sydney City Medical'.

Other employees and effected patients, many of whom had never had a consult with any of the ex-employees involved in the data theft, wondered how they were able to compromise their information given the high level of security used to protect patient files.

The sports injury centre provided concerned patients with an explanation of the security measures used to conceal restricted personal information and a screenshot of their patient file which clearly indicates all identifying information is marked "private" and could not be viewed or accessed by any healthcare professionals. Patients were directed to lodge complaints with the OAIC.

After receiving a barrage of SMS's and emails from Active Muscle and Spine patients contacted them to ask how they were able to get their information particularly as they had never had a consultation with them nor ever booked an appointment with them.

Following is one of the emails sent to concerned patients by the chiropractor primarily involved in organising the data theft:

Active Muscle & Spine
300 George Street
Sydney NSW 2000

Dear [patient name]

Thank you for your email and I apologise for any inconvenience our correspondence may have caused.

I contacted you as our records show you are a patient of [name of healthcare professional], a practitioner of mine when we practised at my previous clinic - [name of Medical Centre - removed by Data Theft].

[Sports Injury Centre] is a Serviced Office and as part of their front desk service, they collected patient contact information on my behalf.

Contact information is collected when a patient makes an initial booking with a practitioner.

I hope this helps to explain your query and if you have any further questions, please don't hesitate to contact me.

Name [name removed by Data Theft]
Active Muscle & Spine

The email is both misleading and deceptive. The sports injury centre is not a serviced office and at no time had the patients receiving this explanation ever been booked to see any of the ex-employees now working with the author of the email. The patients receiving this email were patients of colleagues who still worked at his ex-employers centre.

The emails author had been employed as a chiropractor to see the sports injury centre's patients and only the patient name, date of birth and patient record (medical history) was available to him and not, as stated by him, patient contact information or any other restricted personal data as indicated in the screenshot of patients files. No information was ever collected on his or any other employees behalf. All forms collecting restricted information are owned by the sports injury centre and are not seen or available to healthcare professionals.

Patients rarely ring and ask for a specific practitioner unless they are an existing patient or have been referred. Most new patients are referred by the centres front desk to the healthcare professional who is best able to deal with their specific health issue and available when the patient can attend an appointment.

The emails author and someone engaged by him, hacked the restricted area of the patient database misusing the authors login to obtain 'personally identifying information' and remove it without the authority management or patients, compromising the privacy of patients and breaching his contract with the sports injury centre.

After the data and IP theft from the sports injury centre and another competitor medical centre, also located in Sydney's CBD, Roselyn Singh added their business names and addresses to her own Sydney City Medical website to mislead and deceive patients. Patients calling the phone numbers listed beside the addresses were redirected to Active Muscle and Spine and Sydney City Medical. Singh also listed staff of the affected centres to assist in misleading patients searching for their practitioners by name. None of the practitioners listed (image below redacted for privacy) ever worked for Sydney City Medical or Active Muscle and Spine.

The redacted image below indicates how the affected centres and practitioners were listed on Singh's website and also shows Roselyn Singh passing herself off as having a doctorate and other tertiary qualifications.

Complaints to ASIC and Fair Trading for passing off and misleading and deceptive conduct have never been investigated.

Complaints by affected patients to the OAIC were dismissed by an OAIC investigator and the file closed with no action to be taken against Roselyn Singh or any of the ex-employee data thieves despite compelling evidence the thieves had stolen their personal information and lied to the investigator. Dissatisfied complainants were redirected to the Ombudsman by the OAIC investigator.

An extremely worrying circumstance is Roselyn Singh has been reported to Police and the HCCC for identity theft and Medicare Fraud yet Fraud Police, HCCC nor any other authority have so far investigated her. Even an independant Police report indicating Singh should be investigated has not raised an eyebrow with various State or Federal authorities.

Complainants reporting the thefts to NSW Fraud Police were told Roselyn Singh nor her associates could be charged with any crime. Complaints to the Health Minister, The Hon Jillian Skinner, were referred to Section 308H of the Crimes Act and for complainants to lodge a report to Police, HCCC and APHRA. Despite this reference Police have no legislative powers to charge ex-employees who steal customer lists, patient files or IP. Complaints to APHRA and the HCCC went either unanswered or referred complainants to seek civil legal advice. One of the chiropractors involved in the thefts is a member of the executive committee of an association for chiropractors and osteopaths. A manager of another osteopathic association told complainants they could be sued for defamation.

The ex-employees working with Singh and involved in the conspiracy to commit fraud and the systematic theft of thousands of patient's files are not named here due to potential for legal proceedings against them. The series of systematic data thefts, by Singh and these ex-employees followed a similar event at the same centre currently waiting a decision from the Supreme Court.

Ref: Police Fraud Report - Event Number E52384988