An expensive email error

A married same-sex couple (SD and SE) were attending a practice which had a particular focus on sexual health and HIV-positive persons.

SD and SE had previously been part of a global study into HIV. The couple were considering participating in a further study and had previously provided their email addresses. SD’s email address was clearly his work email and contained reference to his place of employment. SE’s email address contained his first and last name, as well as his middle initial.

On 22 December 2017, the practice sent an email to SD’s work email address. An email intended for SE was also sent, but it went to an incorrect email address due to an error caused by his middle initial being omitted.

The email was noted by SD, and within a couple of minutes he sent an email to the practice requesting that an alternate, private email address be used. The practice then sent a further email to SD’s personal email address, containing a consent form for a medical study. This email was once again copied to SE’s incorrect email address. SD notified the practice that they had used an incorrect email address for SE.

More than a month later, SD and SE had heard nothing from the practice. SD sent a further email to the practice seeking information about their response to the disclosure.

A few days later, the practice responded with an apology for “inconvenience and disappointment” and stated they were investigating the incident.

SD and SE lodged a complaint with the Office of the Australian Information Commissioner (OAIC) two weeks later.

The complaint

SD and SE complained that personal and sensitive information had been sent to an incorrect email address, disclosing their names, details of SD’s workplace, and that they were HIV positive.

The disclosure had negatively affected SD’s family, career aspirations and concentration at work. He stated that he was suffering from anxiety, paranoia and humiliation, and was seeking ongoing psychological treatment.

SD sought a formal apology from the practice as well as compensation for the distress and psychological harm suffered and the cost of the psychological treatment.

SD stated that the fact the practice had not responded to him regarding the disclosure until his follow-up email more than a month later had added to his distress, and that the apology he received did not appreciate the seriousness of the breach.

Some months later, SD was advised by his treating doctor that he should find a new treating doctor due to the breakdown in trust arising out of the privacy breach.

SE had also suffered emotional anguish and stress, and the disclosure had negatively impacted on the relationship between the two of them.

The decision

When considering the matter, the Australian Information Commissioner, Angela Falk stated the following:

In coming to my decision on compensation, I have considered the nature of the information being sensitive medical information, the fact that the disclosure was to a single third party who does not appear to have used the information in any way, the impact of the disclosures on each of the complainants, and the relevant case law.

I find that arising out of the privacy breach, the first complainant (SD) found himself in a situation where the relationship of trust had broken down with his treating doctor, and it was suggested to him that he find a new treating practitioner or clinic. I consider that the circumstances of the privacy breach, together with the breakdown of trust and his perception that the clinic had abandoned him has contributed to his feelings of distress. I consider this to be causally connected to the privacy breach.

Outcome for the practice

The practice was ordered to pay compensation of $13,400 to SD, and $3,000 to SE.

The practice was also ordered to take steps to ensure the conduct was not repeated. The practice implemented a policy to avoid email communications and now requires two-step authentication for emails with sensitive information. The practice has also sought additional privacy training for its staff.

Medico-legal discussion

Email communication is increasingly being used by practices to communicate with patients. Great care should be taken with this, as it’s easy to make an error with the email address.

Medical practices are legally required to take reasonable steps to protect the security of the personal information held. Practices should have a privacy policy, a data breach response plan, and a policy for internet and email communication. Staff training in this area is important.

Under the Notifiable Data Breaches scheme,² privacy breaches that are likely to result in serious harm, and where the harm has not been mitigated, must be notified to the OAIC.

It’s likely that the poor handling of this situation after the data breach occurred contributed to the distress experienced by the two patients.

More resources

Office of the Australian Information Commissioner
Data breach preparation and response
oaic.gov.au/privacy/guidance-and-advice/data-breach-preparation-and-response

Royal Australian College of General Practitioners
Internet and email policy template
racgp.org.au/running-a-practice/security/protecting-your-practice-information/information-security-in-general-practice/introduction

MDA National
Online library of privacy-related articles

References

1. 'SD' and 'SE' and Northside Clinic (Vic) Pty Ltd [2020] AICmr 21 (12 June 2020): austlii.edu.au/cgi-bin/viewdoc/au/cases/cth/aicmr/2020/21.html
2. MDA National. Must I report this privacy breach? 12 June 2019: mdanational.com.au/advice-and-support/library/articles-and-case-studies/2019/06/reporting-privacy-breach-flowchart