An Auckland district health board has apologised and paid compensation to a woman whose sensitive mental health records were wrongly given to ACC.
A Privacy Commission decision, released today, said the Auckland woman agreed ACC could access medical records held by a local board.
But ACC contacted the wrong board and it disclosed the woman's file, including "sensitive mental health information that was no relevant to her claim".
The board didn't notice it received the request in error.
"ACC did not retain the irrelevant information, but we were concerned that the DHB had accessed all of the woman's information and had released it to a third party," the Privacy Commission's decision says.
The woman has since received an apology from the board and it placed an alert on her mental health file indicating caution if releasing it to third parties.
The board compensated the woman for the "stress caused by disclosing sensitive mental health information incorrectly".
Staff have also received training on accessing records.
The Privacy Commission looked into what information could be accessed by boards and what "security safeguards" there were.
"We found that all three DHBs in the Auckland region can electronically access information about patients that have been treated at any one of those DHBs.
"In this case, the woman attended a DHB five years previously and so the responding DHB was able to access her records."
There were restrictions on mental health information and users had to record why they were accessing it.
"...Automatic alerts were sent to system administrators when this function was invoked. All 'break glass' instances were audited," the commission's decision says.
"In this case, the person responding to the request accessed the woman's mental health file when they should not have.
"Once the glass had been broken, and a user navigated further into the database, it was no longer possible to see which patient files belonged to which DHB so all information was accessed."
The commission found the IT system allowing all boards to access information was secure and there was a regional policy on sharing health information.
"DHBs can identify who has accessed a user's clinical record, why they accessed it and what they accessed within the record. All access was randomly audited on a regular basis.
"In this case ACC's request was made to the wrong DHB and it should therefore have been declined.
"Further, only information relevant to the ACC claim should have been provided. This was not easy to determine, as after breaking the glass, users could not see which files related to which DHB. This was improved by creating clear labels showing where the information had been generated."
The boards and the woman were not named in the decision.