Embattled insurer ACC has been caught out scrambling to shut down yet another privacy breach in the very week it has been forced to accept an audit into its handling of client files.
The inquiry was commissioned by ACC and the Office of the Privacy Comissioner in the ongoing fallout after the Dominion Post revealed ACC sent whistleblower Bronwyn Pullar 6500 clients' private details, including the names of sexual abuse and violent crime victims.
The saga also claimed the scalp of former ACC Minister Nick Smith who stood down from his cabinet portfolios after it was found he sent correspondence to ACC about Pullar - a friend of Smith and former National Party activist - without declaring a conflict of interest.
The latest breach came about when ACC claimant Garth Paul asked to see his file - he had to make repeated requests to get the file as ACC sent only some documents. In the end, ACC sent him a file belonging to a different person.
Paul advised ACC it had sent him another person's file, but did not reveal whose it was. He did however contact the man whose file was sent out.
The Sunday Star-Times has spoken to that man. We are not naming him to protect his privacy. "I was so angry when I found out. But it's typical behaviour of ACC," he said. "I said to him [Garth Paul], hang on to it [the file], use it to show what they're like."
He and Paul say ACC's systems are so bad the case managers cannot work out whose file they breached and have yet to contact the client to let him know his file was wrongly sent out and apologise.
If it were not for Paul contacting him, he would be unaware of the error. He is grateful his file went to Paul who handled the matter sensitively.
The botch-up and inability of ACC to determine whose file was sent and how backs up other claims of sloppy practices.
Dunedin ACC client Bruce Van Essen has had an ongoing battle over breaches of his privacy. He says the ACC computer storage of clients' confidential medical records is so primitive the records can be viewed by virtually every employee from a mailroom assistant up. Van Essen found his ACC files had been accessed 2800 times since 2006 - a figure he said could not be justified by everyday claims management. Pullar said her file had been accessed 2000 times over three-and-a-half years by a total of 137 people.
On Thursday ACC chief executive Ralph Stewart and the Office of the Privacy Commissioner Marie Shroff announced audit firm KPMG and Malcolm Crompton, a former Australian federal privacy commissioner, would probe the Pullar privacy breach.
The Sunday Star-Times found the privacy commissioner received 61 privacy complaints about ACC in the last year. Of those, 15 were found to have substance and were subsequently settled. One has been referred to the director of Human Rights Proceedings, who will decide if it will go to a tribunal hearing. The figures show ACC privacy concerns are endemic. There were 57 complaints to the commissioner in 2009/10 and 43 in 2008-09.
"I think this kind of thing happens a lot more than we know," said counsellor and ACC advocate Ian Brown, whose clients include Garth Paul.
Brown said that even as officials scrambled last week to resolve the fall-out from the Pullar breach, managers from a Christchurch ACC office were making endless calls to Paul, to try to retrieve the file sent to him in error.
Just before Paul went public with the privacy breach, ACC manager John Doidge sent him a letter on Monday, March 19, telling him to return the file within 24 hours. ACC refused to comment on the latest breach, with the board chairman and chief executive citing the pending inquiry as preventing them from discussing breaches or privacy issues.
The inquiry is expected to take three months, which means the ACC position on comment blunts discussion of privacy breaches that surface in the meantime.
ACC's initial response when Pullar's claims were made public was to issue a report to new ACC Minister Judith Collins - without speaking further to Pullar - and to allege she tried to blackmail ACC over return of the files. It then said it had referred the matter to police.
Pullar denied any blackmail attempt and said ACC was trying to defame her.
Brown said receiving another person's file was not the only evidence Paul had of privacy breaches. ACC had also allegedly contacted his mother about his case without permission, which backs Pullar's claims of the treatment meted out to her.
Brown said Paul had been treated appallingly by ACC. He claimed staff weren't interested in rehabilitation, people, or their privacy. "In her criticisms of ACC, I don't think [Pullar] was being over-the-top, I think she was being gentle. As one of my clients has told me, if he was a dog, the SPCA would have been prosecuted over his care."