Alfred Health confirmed on Thursday thousands of patients had fallen victim to the privacy breach after investigations found the staff member unethically sighted their documents over a four-year period.

The type of data accessed included information on a patient’s name, date of birth of parents, Medicare number, address details and medical information including details on a patient’s diagnosis, test results, treatment and medications.

Some of the patient records viewed by the pharmacist included those of their fellow staff members.

They reportedly snooped on patient records because they were “curious”, and their behaviour is now being investigated by the Australian Health Practitioner Regulation Agency.

Chief Executive Andrew Way said “accessing patient information when not directly involved a patient’s care is completely unacceptable and we unreservedly apologise for the healthcare worker’s misconduct”.

“We have written to every patient whose medical record was accessed without authority, and we have established a dedicated hotline to provide them with support,” Professor Way said.

An automated text message sent to a patient – who had chosen stricter privacy setting – in June to say their My Health Record had been accessed triggered the Alfred’s investigation, an Australian Digital Health Agency spokesman said.

“The issue was identified when a linked My Health Record was also accessed and the healthcare recipient notified by SMS in accordance with the individual’s notification preferences,” he said.

“The Alfred reported the breach to the Agency as required by the My Health Record legislation.”

The pharmacist was dismissed by Alfred Health after the investigation found they had been accessing patient records without appropriate permissions.

Fortunately there was no financial information available and a review by cyber experts found no evidence of download or use of the information.

“There is no evidence that the former employee kept a copy of any data, shared data online or otherwise misused patient data,” Professor Way said.

“Out of an abundance of caution we will continue to monitor this situation, and we will let patients know if this changes.

“To make sure this doesn’t happen again, we are introducing additional monitoring that will better detect unusual behaviour in our electronic medical record system, while still providing seamless patient care.”

It comes as new data from Australia’s privacy watchdog revealed health services reported more data breaches than any other industry last financial year.

The majority of Australian organisations are required by law to notify the Office of the Australian Information Commissioner of any data breaches that are “likely to result in serious harm” to the individuals whose information was leaked.

The OAIC’s annual report, released late last month, revealed health services providers reported more data breaches – 135 – than any other industry.

Health services were also the subject of 330 privacy complaints received by the OIC last year.

The industry attracted the second highest number of complaints, second only to finance.

The OAIC and the Australian Digital Health Agency have been contacted for comment.

More Coverage

Hospitals told to slash costs amid Labor’s rising debt

Alex White

Erin Patterson arrested over fatal mushroom lunch

Olivia Jenkins, Brooke Grebert-Craig, Jon Kaila, Mark Buttler, Jack Colantuono