Attempts to access Kate Middleton’s medical records are no surprise. Such breaches are all too common

The alleged^[1] data breach involving Catherine, Princess of Wales tells us something about health privacy. If hospital staff can apparently access a future queen’s medical records without authorisation, it can happen to you.

Indeed it may have already happened to you, given many breaches of health data go under the radar.

Here’s why breaches of health data keep on happening.

Read more: Yes, Kate Middleton's photo was doctored. But so are a lot of images we see today^[2]

What did we learn this week?

Details of the alleged data breaches, by up to three staff^[3] at The London Clinic, emerged in the UK media this week. These breaches are alleged to have occurred after the princess had abdominal surgery at the private hospital earlier this year.

The UK Information Commissioner’s Office is investigating^[4]. Its report should provide some clarity about what medical data was improperly accessed, in what form and by whom. But it is unlikely to identify whether this data was given to a third party, such as a media organisation.

Read more: After the Medicare breach, we should be cautious about moving our health records online^[5]

Health data isn’t always as secure as we’d hope

Medical records are inherently sensitive, providing insights about individuals and often about biological relatives.

In an ideal world, only the “right people” would have access to these records. These are people who “need to know” that information and are aware of the responsibility of accessing it.

Best practice digital health systems typically try to restrict overall access to databases through hack-resistant firewalls. They also try to limit access to specific types of data through grades of access.

This means a hospital accountant, nurse or cleaner does not get to see everything. Such systems also incorporate blocks or alarms where there is potential abuse, such as unauthorised copying.

But in practice each health records ecosystem – in GP and specialist suites, pathology labs, research labs, hospitals – is less robust, often with fewer safeguards and weaker supervision.

Read more: Vaccination status – when your medical information is private and when it's not^[6]

This has happened before

Large health-care providers and insurers, including major hospitals or chains of hospitals, have a worrying^[7] history^[8] of digital breaches^[9].

Those breaches include hackers accessing the records of millions of people. The Medibank^[10] data breach involved more than ten million people. The Anthem^[11] data breach in the United States involved more than 78 million people.

Hospitals and clinics have also had breaches specific to a particular individual. Many of those breaches involved unauthorised sighting (and often copying) of hardcopy or digital files, for example by nurses, clinicians and administrative staff.

For instance, this has happened to public figures such as singer^[12] Britney Spears^[13], actor George Clooney^[14] and former United Kingdom prime minister Gordon Brown^[15].

References

1. ^{^} alleged (www.abc.net.au)
2. ^{^} Yes, Kate Middleton's photo was doctored. But so are a lot of images we see today (theconversation.com)
3. ^{^} up to three staff (www.mirror.co.uk)
4. ^{^} is investigating (ico.org.uk)
5. ^{^} After the Medicare breach, we should be cautious about moving our health records online (theconversation.com)
6. ^{^} Vaccination status – when your medical information is private and when it's not (theconversation.com)
7. ^{^} worrying (www.theguardian.com)
8. ^{^} history (www.afr.com)
9. ^{^} digital breaches (www.innovationaus.com)
10. ^{^} Medibank (www.theguardian.com)
11. ^{^} Anthem (www.hipaajournal.com)
12. ^{^} singer (www.latimes.com)
13. ^{^} Britney Spears (journals.lww.com)
14. ^{^} George Clooney (www.nytimes.com)
15. ^{^} Gordon Brown (www.theguardian.com)
16. ^{^} tricked (theconversation.com)
17. ^{^} Did 2Day FM break the law? And does it matter? (theconversation.com)
18. ^{^} What is HIPAA? 5 questions answered about the medical privacy law that protects Trump's test results and yours (theconversation.com)
19. ^{^} condemn (www.bmj.com)
20. ^{^} share (www.abc.net.au)
21. ^{^} vigorously administered (theconversation.com)
22. ^{^} data breaches (www.oaic.gov.au)
23. ^{^} being updated (theconversation.com)
24. ^{^} Government's privacy review has some strong recommendations – now we really need action (theconversation.com)
25. ^{^} nudges (onlinelibrary.wiley.com)
26. ^{^} Where’s Kate? Speculation about the 'missing' princess is proof the Palace’s media playbook needs a re-write (theconversation.com)