Medical histories on internet

By:Anna Caldwell and David Earley

AN alarming privacy breach by one of Queensland's biggest pathology labs has splashed patient medical histories over the internet.

The names, contact numbers and private details of at least 100 patients, and potentially hundreds more, were plastered on the website of Brisbane-based Sullivan Nicolaides.

The breach has cast serious doubt on the safety of electronic patient record systems, and angry patients were last night demanding answers.

The Courier-Mail yesterday viewed 102 patients' details before it alerted the lab to the security breach, which has been blamed on a processing error.

Kay Faulkner from Brisbane was devastated to hear the details of her recently deceased husband were so easily accessible.

"This is disgusting," she said.

"Dishonest people can easily misuse the details of someone who has died so for me this is a serious breach."

Rick and Cindy Gore from north Queensland said the security lapse was "completely unacceptable".

"We were never given a password or website to access so there is no reason for this information to be online - it is not like we could log on and check it ourselves."

The use of electronic records in medicine has jumped as software systems become more sophisticated. But the failure at Sullivan Nicolaides has shown the potential for online records to fall into the wrong hands.

All patients affected by the breach were referred to Sullivan Nicolaides by their GPs for the management of warfarin doses, a blood-thinning drug.

Most were from Queensland and northern NSW, with the files dating back to 2007 and 2006.

The records detail relevant medical history, current medications, as well as patient's next of kin.

Sullivan Nicolaides CEO Michael Harrison initially refused to reveal how many patients records were violated and accused The Courier-Mail of "acting like terrorists".

He later apologised and said 103 files were breached, although The Courier-Mail believes it could be many more.

Mr Harrison said the company had taken the security problem "very seriously", and within an hour of being alerted, the records were removed.

He said patients' details were only meant to have been accessed by authorised doctors and staff.

"Honestly, we are flummoxed (by the breach)," he said.

Despite the violation, Mr Harrison said e-health was the future of medicine. "I don't want this to be adverse publicity for e-heath because electronic health records are crucial to ensuring patients get the right care."

Chair of the Privacy and Security Forum and board director of the Health Informatics Society of Australia Peter Croll said that although private medical records should never be publicly available, there was nothing in the law requiring a breach to be reported.

"Obviously it's totally inappropriate," Mr Croll said.