More than 70 upper North Island health workers have been disciplined for snooping into patients' records in the past three years, and not all of the patients have been told.
Most of the nosy staff - 61 - were at the Auckland District Health Board, where more than half of the disciplinary actions were associated with one incident: the 2012 case of the man who had an eel removed from his rectum at Auckland City Hospital.
Auckland DHB chose to exclude the eel incident from the figures it supplied to the Herald under the Official Information Act on breaches in the past three financial years, because it had been previously reported.
Chief executive Ailsa Claire said that of the 35 non-eel cases - three staff were sacked, 25 received a warning and seven had no disciplinary action taken - more than 70 per cent were identified by "our routine, comprehensive internal audit process.
"The remaining cases were identified either by managers' observations or patient complaints. In cases where there was confirmed access without proper justification, the patient involved was notified."
It is unclear why Auckland had so many more incidents than the others. It employs the most staff - more than 10,000 - in contrast to Waikato, which was the second highest offender and employs 6500. Each Auckland DHB employee with access to clinical systems has two months' emails reviewed each year.
"Auckland DHB takes its responsibility to manage confidential patient information seriously," a spokesman said.
Bay of Plenty DHB sacked an employee in 2012 for accessing records of 49 people.
" ... the staff member accessed and used patient information for her own reasons, mostly related to either personal knowledge of the patient or because they were colleagues," said chief executive Phil Cammish.
In that and one other case the DHB apologised to the patients.
In 2014/15, Bay of Plenty sacked a second employee over accessing patients' records, but in this case did not notify the patients.
" ... the staff member accessed and used the patient information in an employment dispute with BoP DHB," Mr Cammish said.
"As the employee used the patient information - name and diagnosis - in court documents, the dissemination, though a breach of the [Health Information Privacy] Code, was contained within restricted documents.
"Therefore the risk of harm to the patients concerned was assessed as low. Pursuant to Privacy Commissioner guidance the individual patients were therefore not notified of the breach."
Waitemata, Tairawhiti and Lakes notified the patients affected by their breaches. Waikato notified patients in four cases; the fifth resulted from a patient complaint.
A spokesman for the Northland DHB, Dr Mike Roberts, said it did not tell the patients in its two cases because the nature and severity of the breaches did not warrant notification.
"In the event the breach involved known use of the information - i.e. identity theft, blackmail, embarrassment, saving of information to a file, printing, emailing or otherwise being shared - then informing the patient or their representative would be considered."
Privacy Commissioner John Edwards said " ... it is often - but not always - best for agencies to inform the affected people."
Counties Manukau said last week it hadn't notified the patient affected by its employee's breach as it would have been minor.
DHB disciplinary action against staff for snooping into patient records
Bay of Plenty 3
Counties Manukau 1
Auckland 61 *
*including the eel incident
Source: supplied by district health boards for 2013-2015 financial years