A member of the public who sneaked into a major surgery allegedly used a swipe card belonging to a medical student now banned from Wellington Hospital.
A number of separate investigations are underway after the massive breach, which has led to an urgent review of security at the hospital.
The Weekend Herald understands the intruder used a hospital swipe-card that belonged to a University of Otago final-year medical student on placement at the hospital, and who is now banned from DHB grounds while investigations are made.
The man was able to find his way to a surgical theatre, despite not being an employee or having worked at the hospital - raising the possibility he had directions.
A Capital & Coast DHB spokesperson declined to comment when asked about the swipe card, citing an ongoing investigation.
DHB chief medical officer John Tait has previously confirmed a member of the public got into a surgery under "false pretences" in the last week of August, and that "we understand that the actions of a medical student were involved in the breach".
The matter of the man who got into the surgical theatre was referred to police, who declined to take any action. The University of Otago has started its own investigation into the allegations.
The DHB has not said how long the person was in the surgery or what stage it was at, what they did when in the theatre, and whether the patient was undressed or exposed. The patient has been apologised to.
Richard Lander, the Royal Australasian College of Surgeons' executive director of surgical affairs, told the Weekend Herald that, as reported, the incident was "a serious breach of both the patient's privacy and the hospital's duty of care in regard to informed consent", and the college supported the standing down of the medical student while investigations take place.
"Our expectation is that the presence of any person in the operating theatre who is not a health professional, would need the express consent of the patient.
"No doubt the hospital has rules and regulations around which personnel are allowed to be in operating theatres at any given time, and we would hope that in light of this incident there is a comprehensive review of those regulations."
The Office of the Privacy Commissioner was notified by the DHB. A spokesperson wouldn't say whether it had received a complaint from the patient or their family, citing the requirement to maintain secrecy.
Actions after past investigations have included making recommendations and, where appropriate, publicly naming organisations which have committed egregious privacy breaches, particularly if there are systemic issues.
The University of Otago says it cannot confirm or discuss details of the allegations involving its student, who is not currently able to undertake clinical placements.
The Wellington Health Professionals' Association, which represents the interests of medical students studying at the university's Wellington campus, said its only knowledge of the case came from media reports.
Fake identity medical breaches are rare but there are recent examples.
Overseas, a woman posed as a medical student to observe surgeries and even help transport a patient to recovery at Brigham and Women's Hospital in Boston, US, having gained access by "tailgating" staff as they entered the rooms.
Last year a 23-year-old was jailed for a year after pleading guilty to unauthorised practice of medicine, after posing as a doctor and diagnosing a patient about a growth on his neck in a consult room at the University of California Irvine Medical Centre.
In New Zealand, an infamous case involved bogus Polish psychiatrist Linda Astor, who in 1996 conned her way into a job at Hutt Valley DHB where she prescribed electro-convulsive therapy and removed a compulsory treatment order for a patient who later beheaded his girlfriend.