Are You Protected Against Medical Identity Theft

Theft of patient files by ex-employees is out of control in Australia and will likely remain so until an amendment bill is added to current fraud and privacy legislation.

Unfortunately cases of medical data theft by ex-employees rarely make it to court as many affected practice owners don't have the financial means to pursue the thieves. The immediate impact on revenue caused by data theft leaves practice owners virtually no opportunity to take out any sort of legal action. The big medical chains injunct ex-employee data thieves, the smaller centres face an uncertain future with limited resources to fund their business expenses following data theft let alone the additional funding of any form of litigation.

Patients affected by data theft can never be sure their personal information will remain safe in the hands of ex-employee data thieves.

Data thieves may use the stolen files to help secure themselves a position with a competitor or start their own practice. They could also just as easily sell the data on the lucrative black market for patient identities or do both. Once the data is removed without the authority of the patient no-one can be sure exactly what will happen next.

The first time an affected patient will know there is anything going on with their patient file is when they are notified of a change of address by a health professional that they may have seen at a practice. Most patients will naturally assume the notice is a courtesy announcement of a move to a new location. If the patient receiving the notification hasn't provided some form of authority, for their files to be moved, then any change of address notification should be considered with suspicion.

Under a recently passed bill (Privacy Amendment - Enhancing Privacy Protection Bill 2012) any person affected by data theft has to be notified (effective March 2014) by the business holding the patient data immediately it becomes known their data has been compromised.

Unfortunately in many cases this will alarm the receiver causing them to join other notified recipients in contacting the practice concerned to find out what has happened to their information. The practice is blamed for the lack of security provided over their data and the thief gets away with total immunity from prosecution.

There is no legislation that will allow Police to charge ex-employee data thieves.

We came across the following article, published by Fox Business, which highlights just how valuable your patient file is to data thieves.

Protect Yourself Against Medical Identity Theft

From the Gerri Willis Daily

I’m a big fan of keeping my personal information personal. But when it comes to your medical information, maintaining privacy is difficult, if not impossible. That’s because your information isn’t just held by your doctor, hospital and insurer, it’s also a commodity bought and sold by marketers, data base companies and even retailers.

In fact, on the black market, your medical records are more valuable than your social security number. According to Dr. Deborah Peel of Patient Privacy Rights, it costs just 50 cents to a dollar to buy a social security number, but $14 to $24 to buy someone’s private medical details. Smart identify thieves are leaving the dumpster diving behind and focusing on medical identity theft because they prefer the deeper pockets of insurers to consumers.

Read more:

Using Computer Forensics to Investigate IP Theft

By Sid Venkatesan and Elizabeth McBride at LTN

Information technology advances have many salutary effects, allowing workplace flexibility and reduced IT spending. IT advances have also established a host of new intellectual property security issues stemming from data breaches, computer hacking, and theft of proprietary data by departing employees or consultants. These issues now affect companies large and small because all aspects of a company's intellectual assets are preserved electronically, and companies are increasingly relying on employees and independent contractors to access these assets remotely, 24 by 7.

When a valuable employee departs to a competitor, or leaves to start an unspecified "new venture," or even leaves for some "time off," an employer must be vigilant regarding the possibility that electronic copies of company trade secrets — such as confidential customer data, source code, business plans, or technical documents — may follow the former employee out the door. This "departing employee" scenario is probably the most common fact pattern that leads to trade secret litigation.

Companies are increasingly using computer forensics to investigate the who, what, when, where, and why of data theft by departing employees. "Computer forensics" in this context refers to the examination of digital devices, such as smartphones and laptops, and storage media, such as hard drives and thumb drives, in a forensically sound manner that preserves the contents and operating systems of these devices while extracting information regarding file creation, deletion, modification, and copying, and internet and software application usage, amongst other things. Though the field of computer forensics is continually evolving, computer forensic experts are playing an increasingly integral role in the trade secrets and business litigation landscape; it will not be long before litigants point to a company's failure to undertake forensic investigations as a lack of reasonable diligence that can bar a trade secrets claim.


So what should a company do when it learns that a newly departed employee has taken a prominent role at a competitor, or made suspicious statements, tweets, or blog posts? Read the rest of the article to see what a typical action plan could look like at > LTN LAW TECHNOLOGY NEWS

Health Industry: Leaving a Practice?

By Sharon Russell, Claims Manager, MDA National.

Do you have a legal obligation not to disclose or use confidential information obtained from your former practice?

In order to consider your obligations to your former practice it will be necessary to determine if you were engaged as an employee or an independent contractor.

Whilst many arrangements purport to be principal/independent contractor relationships, the Courts will look at the facts behind any such agreement to determine the true nature of the relationship. The Courts will consider aspects such as control and expectation of work, how it is performed, hours of work, the payment method and equipment use.1

In Boyar v House of Life,2 Fair Work Australia determined that a locum alternative medicine practitioner was an employee of the Traditional Chinese Medical Practice. In reaching this decision, the Commissioner stated the "single most important factor" in determining the type of relationship was that at all times the patients remained patients of the practice.

It is therefore likely that a large number of arrangements entered into by medical practitioners would be viewed as employment relationships.

In Australia employees owe certain fiduciary duties (a fiduciary duty is an obligation to act in the best interest of another party) to their employer, including an obligation of good faith. This includes not disclosing or misusing confidential information, which was obtained during the course of employment. This applies even when there is no expressed confidentiality or restraint clause in the contract.

The information generally, however, should be truly confidential as opposed to knowledge, skill and experience that a medical practitioner has acquired. In a recent case,3 the Federal Court of Australia stated:

The entitlement of an employee to use information obtained in the course of employment after leaving that employment will depend upon the nature of the information, and the manner in which it is obtained by the employee. The general rule is that, after the employment relationship has ended, a former employee may use know-how obtained in the course of the prior employment. He may not, however, use information of a confidential nature.

The situation is different if the information in question, even though it is not strictly speaking confidential information of the employer, is deliberately taken or copied by the employee while the employment relationship persists for use after the employment relationship ceased: Faccenda Chicken Ltd v Fowler [1987] Ch 117 at 136. In that case, a former employee was prevented from using the employer's know-how or non-confidential information that might otherwise have been available for use after termination of the employment relationship, because the information and the advantage that flowed from it was obtained through dishonesty.

In the context of a medical practitioner, this could include taking patients' details with the intention of contacting them either during or after leaving the practice and encouraging them to see the practitioner at their new practice.

It is important to bear in mind that the scope of what constitutes confidential information can be broadened by the terms of an employment contract.

That said, medical practitioners must also consider their professional and ethical obligations to patients when leaving a practice. This would include ensuring appropriate arrangements have been made for a patient's ongoing care. It would therefore be reasonable to inform patients that the practitioner is leaving the practice and to assist in facilitating arrangements for ongoing care, as opposed to actively soliciting patients and encouraging them to see the practitioner at their new practice.

In contrast, independent contractors do not owe a fiduciary duty to their principals, so the obligations owed to a former principal, in the absence of a written agreement, are less onerous. However, the Courts still may provide remedies to prevent unauthorised use of information, if it is found that the information was confidential, it was disclosed in circumstances indicating an obligation of confidence and damage or loss was suffered as a result of the information being disclosed or used.

MDA National recommends that Members exercise extreme caution if you consider that there is a possibility that you might use confidential information obtained from your former practice. If an issue arises, please contact MDA National for advice.

1 Independent Contractors and Employees – Fact Sheet, Australian Government, Fair Work Ombudsman Website- www.fairwork.gov.au.
2 [2011] FWA 7953
3 Spotless Group Ltd v Blanco Catering Pty Ltd (2011) 93 IPR 235

Sydney City Medical Centre owner Roselyn Singh suspect in identity theft

> The Roselyn Singh File

In February 2013, Sydney City Medical Centre owner Dr Roselyn Singh PhD, MBA, BCom (Hons), lodged a vexatious complaint with the NSW Health Care Complaints Commission (HCCC), against a competitor medical centre owner using an identity she stole from another competitor.

The extent of the use of the competitors identity, is unknown. However it can be revealed the identity has been used by Singh, since early 2012. It is also alleged Singh used other identities to intimidate competitor medical centre owners and staff.

Singh's fraudulent behaviour and intimidation of competitors doesn't end there. Complaints have been lodged against Singh with Police, ASIC, ACCC and Fair Trading for identity theft, false accusations causing an investigation, data and IP theft, misleading and deceptive conduct and passing off. Singh routinely lists competitor practices on her website including their addresses however with a different phone number. Callers are then redirected to Active Muscle and Spine at 300 George Street owned by an associate of Singh and Sydney City Medical which is owned by one of Singh's companys' UTSG Consortium Pty Limited (under administration).

In one of the largest ever reported personal information thefts in the medical industry, one of the centres listed on Singh's website had most of its patient data base compromised and IP stolen in a series of systematic frauds orchestrated by Singh and ex-employees of the centre listed.

Police, ASIC, ACCC and Fair Trading have so far failed to ignite an investigation into Singh or her associates. Fraud Police maintain lodging a false complaint using a stolen identity is not a crime and they have no legislative powers to charge Singh or her associates with data theft. In addition a Fair Trading insider explained, "it is not significantly important enough for us to investigate". Another example of Small Business being let down by authorities despite a clear mandate to investigate and prosecute business owners making false and misleading claims

Inquiries, by Data Theft, into Singh’s profile, appearing on Linkedin (Google search ‘Roselyn Singh PhD’), have failed to validate her publicised credentials. The University of Sydney, listed by Singh, has no record of her having studied for a PhD, MBA or BCom (Hons). Singh's present employers Deloitte and PwC, listed by Singh on her Linkedin profile, have been unable to locate her on their payroll records.

Roselyn Singh also owns VHealth Plus and has been President of Miss Earth Australia (since 2013). Both these organisations are located at 40 Park Street Sydney.

Singh's claims, published on her websites and various other websites, her medical centres and Miss Earth Australia are not-for-profit entities supporting various charities and foundations also remain unsupported by any discoverable evidence. None of Singh's entities are registered with ACNC.

Despite an independant Police report indicating Singh should be investigated, evidence and witnesses the HCCC have refused, without explanation, to lodge a complaint with Police against Singh for using a stolen identity to provide false information about a doctor causing an investigation, a crime under the Health ACT 2002 and the Crimes Act 1900. Complaints to the Health Minister, The Hon Jillian Skinner, have been redirected back to the HCCC and APHRA. APHRA will not investigate Singh because she is not a practicing health care professional.

Do you know more?

If you have information about Singh's interesting conduct or are a victim of one of Singh's scams Contact us