A privacy breach at the Bermuda Hospitals Board affected more than 100 people after patient records were accessed improperly, the organisation has confirmed.

The BHB said that those affected had been contacted and that there was no evidence of any information being “lost, changed, destroyed or exposed to unauthorised external parties”.

However, one woman told The Royal Gazette that she had been left “mortified” after learning that her son’s medical records had been accessed and felt “dismissed” by the BHB’s response.

“The way they have handled this has been quite inconsiderate,” she said. “We have nothing to hide, but our privacy has been breached.”

The woman, who is not being identified to protect the identity of her son, said she received an e-mail from the BHB on August 20 informing her that there had been “unauthorised access” to records held by the hospital.

The letter stated that the BHB had identified that, on different dates, various patient medical records had been accessed by a member of hospital staff who did not have authorisation to do so.

It added: “We understand this communication may cause concern, and we want to reassure you that BHB takes the protection of your personal information very seriously.

“At present, we do not anticipate any adverse consequences to you as there is no evidence that your information has been used or disclosed beyond the unauthorised internal access that we have identified.

“Please be assured that the breach has been contained and we are continuing to work diligently to address any individual or systemic issues appropriately.”

However, when she was able to contact BHB staff, the woman was told that it was her son’s medical information that had been accessed.

She said that she subsequently received a response from the BHB, which said it was satisfied that it had met all the requirements under the Personal Information Protection Act and no further action was required.

The message continued that it could not provide details of “confidential personnel matters”, including the identity of the staff member who accessed the documents or how the matter was addressed.

However, the message did confirm the date when the breach took place — showing that it happened while her son was 17.

She said that she felt the communications with the BHB were “dismissive” of her concerns and that she had gone to the Bermuda Police Service to file a report.

“We only have one local hospital, we have all of these Pipa laws,” she said. “What is being done?”

In response to questions from the Gazette, a BHB spokeswoman said: “The BHB has identified and addressed a privacy breach involving unauthorised access to patient records by an employee.

“The incident was detected during a routine audit of system access logs. We immediately contained the breach and are now well under way in addressing any individual or systemic issues appropriately.

“There is no evidence to date of any information being lost, changed, destroyed or exposed to unauthorised external parties.

“We have contacted 106 affected individuals and reported the matter to the Office of the Privacy Commissioner in line with the Personal Information Protection Act 2016.”

The spokeswoman said that the Privacy Commissioner’s office had confirmed that the breach notification and measures taken in the wake of the discovery fulfilled legislated requirements.

“The BHB deeply regrets that this incident has occurred,” she continued. “It does not represent the actions of our many staff who comply with our policies and Pipa training programmes every day.

“We remain committed to protecting all personal and medical information and upholding the rights of our patients to confidentiality and privacy.

“We will continue with our proactive surveillance to ensure that BHB is compliant with confidentiality and Pipa obligations and also use the findings of this incident to further strengthen processes as needed.

“Any patients who have questions can contact the BHB privacy officer at privacy@bhb.bm.”

Christopher Moulder, the Acting Privacy Commissioner, confirmed that the office had received a breach notification from the BHB and queries from people who had been affected.

“Following an assessment of the breach notification and follow-up discussions with the organisation, we determined that they had taken proportional steps to address the breach, while highlighting measures to be implemented moving forward,” he said.

“If any individual, including parents or guardians on behalf of a child, believes personal information has been impacted resulting from the breach, please feel free to contact the organisation or our office directly.

“Alternatively, all individuals have the ability to utilise their rights under Pipa, and we have dedicated guidance for individuals, templates and intake forms available on our website that will assist the rights request processes.”

A spokesman for the Bermuda Police Service said last night that a report regarding a privacy matter was made for information purposes.

However, he said privacy breaches do not fall under the remit of the police and advice regarding such breaches and related matters rest solely with the Privacy Commissioner’s office.

The spokesman said: “The police do not get involved in or investigate Pipa matters relating to other organisations.

“As such, we recommend that the request for an investigation update is submitted to the entity/organisation of interest.”

He said if a member of the public contacted the police regarding a Pipa matter not related to the BPS, they would be directed to report the matter to the specific organisation or to make contact with the Privacy Commissioner for advice.

He added: “Any advice regarding protocols/procedures in relation to privacy breaches is issued by the Privacy Commissioner.

“Administration of specific privacy breaches rests solely with individual organisations.

“The Pipa does not have a specific role/process that involves the police.”