The Falkland Islands Government says sorry for not notifying the police despite being aware patient confidentiality had been breached, and for not apologising immediately.
“We accept that those affected by the first data breach had to wait four years for any apology despite the KEMH and FIG being aware their right to confidentiality had been breached,” said Chief Executive Dr Andrea Clausen.
Dr Clausen, speaking in the Legislative Assembly today, refers to two confidentiality breaches at the King Edward the VII Memorial Hospital (KEMH): one in 2019 when an auxiliary nurse accessed patient files without reason and one in 2022 when an admin worker accessed 289 patient records.
Dismayed at the lack of a proper apology and the failure to protect patient records after both breaches, campaign group Justice4Patients filed a claim in the Supreme Court against the Falkland Islands Government (FIG) in January. The basis of the claim is that patients’ right to privacy has been breached and FIG failed to prevent the unauthorised access from occurring.
The group also listed four demands of the government: a detailed apology; an independent public inquiry into the circumstances of the breaches; an inspection of the medical department; compensation to everyone affected by the unauthorised access.
Patients left to report matters to police
In the apology delivered today on behalf of FIG and KEMH, Dr Clausen acknowledged the police was not called in 2019 despite the government and the hospital being aware patient confidentiality had been breached.
“This was wrong,” said Dr Clausen.
“Affected patients were left to report matters to the police themselves, inevitably causing further distress.”
The police investigation from the 2019 breaches resulted in a criminal trial of a former KEMH auxiliary nurse who was accused of reading the medical files of six patients without authorization.
The trial, in 2021, returned a not guilty verdict for offences of computer misuse as there are no data protection laws in the Falkland Islands. Despite the former KEMH employee admitting to accessing some patient files the senior magistrate found inadequate confidentiality training had been administered and the onus was on the hospital.
A lack of confidentiality settings being utilised on the electronic patient record system, EMIS, was also outlined and that the software (still in use) is extremely outdated.
These points were addressed this morning with Dr Clausen stating: “We apologise for not referring this matter to the police and for failing to train and monitor this former employee properly in relation to the confidentiality of data, data protection and information governance.”
Further data breach not prevented
Dr Clausen outlined that after the data breach in 2019 “some limited changes to strengthen data protection were made at the KEMH” but they “regrettably did not prevent a further data breach in 2022.”
It was members of the Justice4Patients group who identified this unauthorized access through requesting audits of their medical records. A further audit of all 3,705 patient records showed an administrative worker’s login had been used to access 289 patient records.
The affected patients were written to by the then director of Health and Social Services, the Royal Falkland Islands Police opened an investigation, and the admin worker was prosecuted for 16 offences of unauthorised access to computer material in May 2023.
It was said in court she had been given training on accessing records, had sworn an oath of secrecy, and had signed a code of confidentiality which stated staff must not access medical records for their own interests. However, the senior magistrate at the time said he was “troubled and surprised” she had access to all medical records with such ease.
Dr Clausen said today the government apologises that “more robust actions to address the findings in the first case were not taken” as “it could have significantly reduced the likelihood of this recurrence.”
Communication limited and no support offered
After the 2023 prosecution, it took 16 months for the health services and the government to update the community on what safeguards had been introduced to protect patient data and to publish a public apology.
“It is now approximately six years since the first data breach and nearly three years since the second, and we are very sorry that communication and apology over that timeframe has not followed what is considered to be “best practice” in these situations,” continued Dr Clausen today.
It is also accepted that “further efforts should have been made” to understand the impacts these beaches had on the community and communication with those affected was “very limited and no support offered.”
The chief executive said the KEMH and FIG hope this apology is accepted by the community and accept it as a starting point to “improve trust in confidentiality in the KEMH.”
External review to look at handling of data breaches
Justice4Patients says it is pleased the detailed apology has been made today and it is an “important first step in rebuilding trust in the medical department.”
However, the group says it is “disappointing it has taken so many years for them to fully acknowledge and apologise for their failures.”
In a statement Justice4Patients outlines it was only after the Supreme Court claim was filed that FIG and the medical department engaged with it and its lawyers in any meaningful way.
One of the group’s aims is for an independent review into the nature of the breaches and the government response.
This is something that the KEMH has committed to with the chief executive saying today: “This review will seek to understand how data breaches have been handled by the KEMH and FIG, what further lessons can be learned, and what additional measures can be taken t further strengthen information governance and improve our response when things go wrong.”
Still some way to go
Having the first demand of a detailed apology met, Justice4Patinets still asks that the KEMH and FIG make meaningful changes so that medical records are treated with the appropriate level of respect confidentiality and adequate compensation is given to all those affected by the breaches.
The group says it can see progress is being made against the stated aims but it “will continued to press forward on behalf of those affected by the breaches and for the wider community.”
Justice4Patients can be contacted by email at Justice4patients@hotmail.com
Those affected by the data breaches who feel their concerns haven’t been sufficiently addressed by the Falkland Islands Government can contact the Director of Health and Social Services for an appointment and a personal apology on pa.dhss@kemh.gov.fk
