A clinic nurse who reportedly misused patient identities to procure cough syrup illicitly for her boyfriend has been sentenced to five months in jail.

Tan Tong Lin, 42, faced the consequences of her actions in court on 3 June, following her admission of guilt on two charges under the Computer Misuse Act, along with one count of conspiracy to cheat. This incident came to light after a patient noticed unauthorised activities under their name back in 2021.

The investigation began when the clinic, noticing the discrepancies, enlisted a private investigator to delve into the irregularities. The probe quickly pointed to an internal breach orchestrated by Tan in collaboration with her boyfriend, Ng Kai Loon, 36, who asked her to obtain cough syrup – a substance he was allegedly abusing – under the names of unwitting patients using Tan’s access to the clinic’s database.

At Ng’s behest, Tan was said to have used the names of other patients to bypass the clinic’s restrictions on the sale of cough syrup.

The clinic distributed cough syrup directly over the counter, asking only for patients’ names and NRIC numbers, without needing a consultation. However, a policy limited the sale of cough syrup to 240 mL per patient every nine days, according to Deputy Public Prosecutor Yap Jia Jun.

Wrongfully accessing and manipulating patient records

The court heard how Tan repeatedly facilitated these purchases. The nurse accessed the records of 65 inactive patients, reactivated their statuses at least 25 times, and recorded Ng’s cough syrup purchases.

Irregularities in the patient records came to light in February 2022.

District Judge Terence Tay said Tan's behaviour constituted identity theft, with potential repercussions for the victims. He believes her involvement in a conspiracy to cheat warranted 10 years in prison and a fine.

Meanwhile, Ng’s hearing is set to take place later this month.

The misuse of data in the workplace: Lessons for HR

The sentencing of Tan serves as a stark reminder of the legal and ethical obligations that healthcare professionals hold. The case of misusing patient identities for illicit purposes has significant implications for HR within healthcare settings, particularly, regarding the importance of rigorous data protection and employee monitoring.

Here are some key considerations for HR when handling this type of data misuse at work:

1. Employee Background Checks

This incident underscores the need for thorough background checks that include past criminal records and employment history, especially for roles that involve sensitive data.

2. Data Access Controls

HR must ensure strict data access controls are in place. Access to sensitive information should be restricted based on the employee's role and need for the data. Regular audits and monitoring of data access can help prevent misuse.

3. Training and Awareness

Regular training on data protection laws and ethical handling of patient information is crucial. Employees should be aware of the legal consequences of data misuse and the importance of adhering to organisational policies.

4. Clear Policies and Procedures

There should be clear, documented policies regarding the use of patient data, including severe consequences for misuse. These policies must be communicated to all employees and regularly reviewed to ensure they remain effective and are followed.

5. Reporting Mechanisms

Implementing secure and anonymous reporting mechanisms for employees to report suspicious activities or breaches is essential. This encourages a culture of transparency and quick response to potential data misuse.

6. Regular Audits

Regular audits of data access and usage should be conducted to ensure compliance with policies and to detect any irregular activity. This can help prevent incidents like the one involving Tan from escalating or recurring.

7. Crisis Management and Response

HR should have a crisis management plan that includes steps to take when data misuse is detected. This includes cooperating with law enforcement, conducting internal investigations, and communicating with affected parties.

8. Review and Update Security Measures

Following such incidents, it's crucial to review and, if necessary, update security protocols and systems to fortify defenses against future breaches.

9. Support Systems for Addiction and Mental Health

Given the involvement of substance abuse in this case, HR should also consider the implementation of support programs for employees struggling with addiction or mental health issues.

This incident serves as a reminder of the potential consequences of negligence and the continuous need for vigilance in managing employee actions and safeguarding sensitive data.