Sydney Massage Therapist Michael Alcott Supports Data Theft in Blog Post

Sydney CBD Massage Therapist Michael Alcott published a misleading and deceptive post on his blog supporting employees breaching privacy to remove patient's personally identifying information from medical and health centres.

In a number of emails from Data Theft to Alcott he was asked to allow a right of reply to his post or to provide rebuttal before we published. He has never responded.

We reply here on Data Theft

Alcott: I like to keep things positive here but I’ve recently been contacted by some of my longer-term patients regarding text messages received from the clinic where I used to work, so my apologies if this seems a little negative in tone.

The first SMSs seemed to be about voting in the Sydney Business Awards and the 'clinic-that-shall-not-be-named' spruiking for votes. If you are unhappy receiving promotional materials, I suggest you contact the clinic and ask to be removed from their contact database.

I have seen the SMS in question and it does breach the guidelines of the Australian Communications and Media Authority so, if you are seriously aggrieved, you can make a complaint on or by forwarding the text to 0429 999 888. Be assured that your mobile number will only ever be used by me for reminder texts if you have agreed to receive these. I do not send promotional SMSs.

datatheft: The Sydney Business Awards organisers encourage nominated businesses to contact their customers to ask them to vote in the awards. A chance to win a cash prize of $1500.00 just for casting a vote is provided by the awards organisers. As part of one segment in the judging, award nominees, are scored on how they market their participation in the awards. To qualify as a finalist nominees must achieve enough votes to be in top four or five in their business category.

In the case of the "clinic-that-shall-not-be-named" (Alcott's words alluding to his ex-employer) their privacy policy and patient forms provide opt out options for all communications. A vote is only requested from patients if they had not opted out.

It is not uncommon for businesses to request reviews, or votes in various business awards, from their customers. Alcott himself encouraged patients to vote and attended awards presentation nights when he worked for his ex-employer.

Alcott: The second text was much more serious and involves patient records. Name removed (by Data Theft Au due to potential for sub-judice contempt), the clinic chiropractor, has left. A text was sent coinciding with this claiming that patient records had been stolen. It has been assumed that the clinic is implying that they were stolen by the practitioner, but as Name removed is an honest and honourable man, I certainly hope that this was not the implication. Unfortunately, this allegation has been levelled at others who have left.

datatheft: Under the Privacy Act as it relates to health records and under guidelines, provided by the Office of the Australian Information Commissioner (OAIC) and Australian Law Reform Commission (ALRC), patients are to be notified immediately it is known their personally identifying information or patient record (medical history) has been compromised. As of March 2014 notification of any breach of this information is mandatory (Privacy Amendment - Enhancing Privacy Protection Bill 2012).

Due to current legal proceedings in the Supreme Court against the "others" (Police Event Number E42593634) Alcott mentions, imminent legal proceedings against 'the person' named by Alcott in his post and potential sub-judice contempt we are prevented from expanding on what Alcott has alleged however a major fraud and breach of privacy by the person, named by Alcott, did occur and is currently under investigation (Police Event Number E52384988).

Alcott: Under NSW case law, a clinic, medical centre or serviced office cannot own patient records or “goodwill” as their relationship is only with the practitioners who work there. The patient’s relationship is with the practitioner, and therefore the owner (or custodian) of those records (“goodwill”) is that practitioner.

datatheft: We can find no case law in NSW or any other state of Australia that indicates a medical centre or clinic cannot own patient records. We have asked Alcott to provide examples and we will be pleased to publish them here. To-date there has been no response to our request.

"Patient records" refers to the patient history or medical record not the patient file to which the patient record is attached. The patient file also contains the patients personally identifying information which is restricted data. It is agreed the practitioner should make a copy of the medical record which is supported under the Health Act. This information is usually jointly managed by the health facility and the practitioner and has to be maintained for a minimum of seven years.

Regardless of practitioners requirement to have a copy of the patient record, removal of this sensitive information from any health facility still requires written authority from the patient.

The Goodwill Alcott refers to is in the creation of the patient file containing patient contact information, in which he and the "others" he mentions, had no input and no ownership nor authority to remove.

We refer to decisions in the Supreme Court (examples: Mid-City Skin Cancer and Laser Centre vs Dr Zahedi and the appeal case Health Services for Men Pty Ltd v D’Souza (2000) 48 NSWLR 448), the Health Records and Information Privacy Act 2002 (Who owns my medical records), National Privacy Principle - NPP 6.4 & 6.7, The Medical Council of NSW and the Commonwealth Copyright Act – copyright subsisting in a health record, on ownership of patient records.

The medical or health facility owns the "goodwill" attached to the patient file unless otherwise agreed with the practitioner. Health facilities and practitioners have a continuing obligation to maintain the patient record and that is not disputed. Removal of this information without written authority from the patient is where the breach in privacy occurs. Removing patient's contact information or restricted data, for the purposes of using that information for financial gain, is fraud, a breach of contract in most centres and a breach of the Privacy Act.

Alcott: A clinic is a shell, building, cash collection service, but your relationship will always be with your health care worker, not the receptionist or an entrepreneur.

datatheft: Clinics, medical centres or other health facilities are not buildings or cash collection services so eloquently labelled by Alcott and the issue is not about patient practitioner relationships, conveniently used by some to justify data theft. It is the illegal and unethical processes used to remove patient files from a health facility.

If the concern is for patients well being and continuing treatment "ethical professionals" discuss this with their employers management and negotiate an outcome that benefits the patient. In most practices there is a handover period where the incumbent practitioner works with their replacement to ensure continuity of informed care for each patient. They don't resort to data theft.

Alcott: If your practitioner has left and you wish to follow him or her, then you can ask the clinic for a copy of your records to take with you. Similarly, if at any stage you move on to another practice from here, feel free to ask me for a copy of your records.

datatheft: Patients will usually choose the healthcare professional who is conveniently located to their home or work and who they believe will best attend to their health needs. Patients can request a copy of their patient record at any time from any healthcare facility they have been attending. The Privacy Act requires proof of identity and a written request for the specific information be provided before copying and removing this information from a health facility. No health facility would refuse to provide patients access to their patient record.

Alcott's post is not really written to defend the removal of the patient record often referred to as medical history. He nor the others he mentions removed any patient records from their ex-employer. Alcott's post attempts to justify breaches of confidence and the Privacy Act to remove restricted data (patient's identity data) for financial gain.

His ex-employers employment contracts, as with most health professional contracts, have enforceable restricted areas and restricted activities clauses on termination. Alcott's post is actually supporting data theft, breaching contractual obligations, the privacy policy his ex-employer has with patients and the Privacy Act .

In an industry, where ethics should be sacrosanct and patients privacy absolute, publishing of a deceptive and misleading blog post supporting removal of patient's contact information without their authority and breaching confidence with an employer is disturbing.

Under recent changes to the Privacy Act (Privacy Amendment - Enhancing Privacy Protection Bill 2012), apart from any other damages caused to a health facility or any other business, the removal of restricted data by an employee without authority, potentially exposes their employers to fines of up to one million dollars. Meanwhile, the thief remains completely immune from prosecution due to lack of any legislation that will allow Police to charge employees for data theft.