ACC boss confirms massive privacy breach - but still not sure what happened

Update - March 14: ACC has come forward with advice to ACC claimants regarding the recent privacy breach of thousands of personal records.

According to a statement released by the agency this afternoon, only claims that were under review in the month of August 2011 have been involved in the breach.

Medical or "accident" details sent to the receiver have not been mentioned in files involved in the breach, with the information now believed to have been destroyed accordingly.

ACC believes the individual who received this information has not passed the claimants' personal information onto any other parties or individuals.

The company suggests those claimants who believe they may have had sensitive details compromised should contact ACC as soon as possible, as they will deal with these matters on a case-by-case basis.

An investigation has been launched into the breach as well as into ACC's standards in securing personal information.

Ralph Stewart, chief executive officer of ACC, has told NBR Online that the company is taking every measurable step to resolve the recent privacy issue.

Personal details in more than 9000 ACC claims - including those of well known people - wrongfully emailed to an anonymous recipient, has been labelled one of New Zealand’s worst privacy breaches.

"It is pretty early days at the moment but we first need to fully understand what actually happened," said Mr Stewart.

"The key thing now is to get the claimants into a position where they can be confident that ACC now has their records under a good lock-and-key. The file has since been dutifully destroyed from the hard drive of the machine that it went to and am confident that the file is back under ACC's care.

"Processes and systems are currently being put in place so that this does not happen again."

When asked about the delayed response, Mr Stewart told NBR Online that ACC "didn't follow up [on the incident] as fast or as effectively as we should have." 

According to Mr Stewart, the event first occurred in August last year when the incorrect file had been sent to a claimant by an Auckland staff member. ACC was only notified in December about the incident by the individual who received, and when asked by ACC to have the files sent back the information was not forthcoming.

Katherine Evans, assistant privacy commissioner of the New Zealand Privacy Commissioner, informed NBR Online of the legal implications involved in the case.

"If someone receives information by mistake as the result of a security breach, they have the legal responsibilities to protect the privacy of the people involved; immediately letting the agency concerned know and securely destroying any copy they may have," she said.

The Privacy Commissioner will be expecting ACC to provide them with a written report into the incident including what steps it has taken to address this.

Earlier this morning, ACC minister Judith Collins asked for an immediate report into the privacy breach case - which happened three months ago but has only just been publicly revealed.

ACC released a brief statement this morning in reaction to the breach saying its first action is to “locate where the information allegedly released is being held and secure it as quickly as possible.”

Among the 9000 claims were the details of more 250 clients from ACC’s ‘sensitive claims unit’, the company’s most secure unit, some of which contain claims of a violent and sexual nature.

The nature of the disputes and claims were outlined in great detail, including full names and individual claim numbers associated with them.

Three months ago, senior management at ACC were told that the country’s biggest privacy breach had possibly been committed, but followed no procedures to contain the breach both within the company and from the recipient even after a formal complaint was made.

Breach notification is not currently compulsory in New Zealand, though the Law Commission has recently recommended that this should be addressed.