Skip to main content
HashnodeData Trust Cadence

Command Palette

Search for a command to run...

The "Need-to-Know" Boundary – Lessons in Data Privacy

Case Study: Unauthorized Access of Patient Data in a Healthcare System

Updated
4 min read
M
Mr. Yap

Spent over a decade helping organizations thrive through re-platforming, digital analytics, and marketing automation. Now, I’m pivoting to Data Privacy and Governance. I specialize in translating abstract frameworks into actionable practices ensuring growth and protection work in tandem.

1. Overview

A customer service associate working for a major public healthcare cluster in Singapore was found to have repeatedly accessed patient records without authorization over a six-month period. The breach involved the use of a centralized healthcare IT system designed to manage appointments and billing to view the sensitive personal and medical data of 11 individuals, including former colleagues, family members, and a specific acquaintance.

2. The Breach: Unauthorized Access

The employee had legitimate access to the "EPIC" system (an electronic health record platform) as part of her role in managing patient services. However, the organization's policy and the law dictate that staff may only access records within their specific "purview"—meaning they should only view the data of patients they are currently serving.

Between July and December 2022, the individual accessed the system 223 times to review records that were not related to her work duties. The data viewed included:

  • Full names and NRIC numbers

  • Residential addresses and contact details

  • Medical appointment history

  • Billing information

3. The Motive and Detection

The breach was not a result of a cyberattack or technical loophole, but a breach of trust by an authorized user. The individual’s primary motive was personal; she sought to "reignite a relationship" with a woman she had lost touch with. She used the system to find the woman's contact details and information regarding her child’s health.

The incident came to light when the victim received messages from the employee on social media. The victim became disconcerted when the employee revealed specific, confidential details about her child’s medical history that had never been shared. The victim subsequently filed an anonymous tip-off to the healthcare cluster.

The employee was charged under the Computer Misuse Act.

  • The Sentence: She was fined the maximum amount of $5,000 for the charge.

  • Employment Impact: She was terminated from her position following an internal investigation and a police report filed by the Ministry of Health.

  • Judicial View: The court emphasized that the prosecution was "fair and kind" given the potential for a custodial sentence, highlighting that the misuse of a privileged position to infringe on privacy is a serious offense.

In the age of digital transformation, "Data is the new oil" is a phrase we hear often. But for those in the healthcare and service industries, data is more like a sacred trust.

A recent case in Singapore’s healthcare sector serves as a cautionary tale for any organization that handles personal information. A staff member was fined and terminated after using her company’s database to look up the medical records of family members and old acquaintances for personal reasons.

It wasn’t a hacker from halfway across the world; it was a trusted employee with a login.

Why Privacy Isn't Just "Security"

This case highlights a critical distinction in the world of data: Security is about keeping the bad guys out. Privacy is about ensuring the "good guys" only see what they need to see.

When employees treat a database like a search engine for their personal lives, the damage goes beyond a legal fine. It erodes the public's confidence in the institutions that are supposed to keep us safe.

Key Takeaways

  1. Access is not Authority: Just because an employee has a username and password for a system does not mean they have the authority to browse it at will. Access must be tied to a specific business function.

  2. The "Insider Threat" is Human: Often, the biggest threat to data isn't a virus—it's curiosity or personal emotion. Employees must understand that digital footprints are permanent and monitored.

  3. Proactive Reporting Works: In this case, the breach was discovered because a member of the public noticed something "creepy" and reported it. A clear channel for whistleblowing and complaints is a vital safety net.

🛡️ Good Practice Checklist: Protecting Data Control

Is your organization doing enough to prevent a breach of trust? Use this checklist to audit your internal data culture.

Access & Control

  • Role-Based Access Control (RBAC): Do employees only have access to the specific folders or systems required for their job?

  • The "Need-to-Know" Policy: Is it explicitly written in the handbook that accessing data for non-work purposes is a terminable offense?

  • Just-in-Time Access: For sensitive data, do you require a "reason code" or temporary approval before a record can be opened?

Monitoring & Auditing

  • Audit Trails: Does your system log every time a file is opened, and by whom?

  • Anomaly Detection: Are you alerted if an employee accesses an unusually high number of records in a short time?

  • Regular Spot Checks: Does the IT or Compliance team conduct random audits of access logs?

Culture & Training

  • Annual Privacy Training: Do staff undergo regular training on the PDPA (or local equivalent) and the Computer Misuse Act?

  • Real-World Examples: Do you share anonymized case studies (like this one) with staff to show the real-world consequences of "harmless" snooping?

  • Clear Reporting Channels: Is there a clear, anonymous way for employees or the public to report suspicious data usage?

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

Data Trust Cadence

7 posts

Driving Data Trust & Risk Mitigation with Data Governance, Data Protection