23 Dec 2022

Patient records from second psychiatric hospital caught up in Archives NZ breach

9:54 am on 23 December 2022
Archives NZ

A new OIA response shows patient records from Seaview psychiatric hospital, near Hokitika, were mistakenly put online, too. Photo: RNZ / Samuel Rillstone

The national archive, fresh from apologising for one privacy breach, admits a second psychiatric hospital was caught up in it.

Archives NZ apologised on Monday for a breach of Sunnyside psychiatric hospital records.

Now a new OIA response shows patient records from Seaview psychiatric hospital, near Hokitika, were mistakenly put online, too.

But Archives NZ said because no one accessed the Seaview records, it chose not to notify the public.

"The reason Seaview was not mentioned in any releases is to avoid causing distress to any members of the public who may have been at Seaview and who may have been concerned their data was accessed - it wasn't," chief archivist Anahera Morehu told RNZ.

The Crown agency has been beset this year by a series of security and privacy breaches, and internally has expressed fears about "reputational" risks.

Three Sunnyside Hospital files of more than 7000 name entries - along with ages and health conditions - for certain years between 1952 and 1973, were mistakenly made 'open access', and accessed briefly by two members of the public in August and September.

Archives NZ revealed on Thursday that the Sunnyside and Seaview records were wrongly accessible "for several months before the error was discovered".

RNZ reported the breach last week, and on Monday Archives NZ apologised.

However, it said nothing about Seaview.

That hospital's role came to light this week in an internal Archives NZ report from November that said:

"Further investigation identified a total of six restricted files containing private health and personal information of a sensitive nature, from both Sunnyside and Seaview Psychiatric Hospitals, had been made accessible in error."

Making restricted records 'open access' is a breach of security.

Asked about this, Morehu said: "Seaview has not been mentioned in any of our previous releases because the files related to Seaview were not accessed by any members of the public so there was no breach."

"Six files were marked incorrectly but only three were accessed. Those three files were Sunnyside files."

The health records were entrusted to Archives NZ by Te Whatu Ora Health NZ.

They relate to the hearings by the Royal Commission of Inquiry into Abuse in Care.

Ex-patients at Sunnyside had not been notified of the breach ahead of the story breaking.

Archives NZ had a plan to notify them by early December but told RNZ it had pushed that back to mid-January - it was "working as fast as we can" on a plan that minimised harm.

Earlier this week Morehu said: "From the moment we were notified, we have been working at pace on investigations and our response.

"We recognise the trust people and agencies have in Archives to protect their restricted information.

"We apologise to those who are affected or potentially affected for this error and the impacts it may cause."

She has not agreed to interview requests.

On Monday Morehu said it was "disappointing" RNZ had reported the breach, which had forced Archives NZ to accelerate its response.

"It's important to us, and the agencies we're working with, to be robust yet swift in our response."

The Sunnyside files cover certain years between 1952 and 1973.

Sunnyside, in Christchurch, closed in 1999, and Seaview in 2009.

Archives NZ has suffered a series of security breaches since February due to its malfunctioning new Collections Search system.

At least 9000 restricted records or their titles were made open access.

"These issues have resulted in serious privacy risks," the agency told the Internal Affairs Minister in a briefing on 18 November.

"The ongoing identification of new syncing issues has led to significant reputational and strategic risks for Archives."

It set up a team in November to develop a long-term plan "to address control weaknesses", and would work through to mid-2023.

The team had identified "additional risks", the OIA report said.

Yesterday, Archives NZ said those risks were around platform performance, customer expectations and the supplier of the search system, Swedish company Axiell, delivering what was required.

Axiell has apologised for the problems.

Get the RNZ app

for ad-free news and current affairs