Yesterday, the Victorian Ambulance Union Incorporated (VAU) became aware of a potential third serious breach of privacy at Ambulance Victoria (AV).

This follows a previous breach of privacy in early May 2023 where confidential spreadsheets of pre-employment AOD screens for AV graduates were accessible on the AV intranet, and a second breach in August 2023 where members information was found to be accessible on the AV intranet including staff medical information, applications, managers notes and handover reports, HR information, business cases, and AV Symbolix reports (trends in use of AV medication). In both circumstances, AV only became aware of these breaches when informed by the VAU.

Following these breaches, AV informed staff that they are “committed to protecting the privacy of personal and health information, taking every step possible to make sure this does not happen again”.

Yesterday, the VAU was informed that further information was accessible to the workforce on the People@AV intranet page. Information that was accessible included personal mobile phone numbers and rostering status such as indicating if a member is on Workcover.

The VAU has urgently contacted AV seeking that they do the following:

  • Confirm that all personal information including mobile phone numbers, are removed from the intranet immediately.
  • Inform any affected employee (including past employees) of a potential breach of their privacy.
  • Conduct an audit of how long the information has been accessible for, who has accessed this information, and take steps to ensure that those people are contacted and made aware of their responsibilities.
  • Comply with its responsibilities to report the breach to relevant authorities, including but not limited to the Office of the Victorian Information Commissioner (OVIC).
  • Take all necessary steps to ensure that there are no further breaches in relation to employees personal information.
  • Immediately pause the use of the People@AV page on the AV intranet until such time as there is no possibility of further breaches.

We have been informed that the People@AV page has been taken down temporarily.

Over the years the VAU have supported members in relation to family violence matters, who have previously been required to change phone numbers after they were released and circulated without permission. At least one at risk member, who had previously been exposed by privacy breaches in AV and has had to change their mobile number on four occasions. Once again, the member has had their mobile phone number exposed in this latest breach and will now be required to take steps to ensure their safety and change phone numbers for a fifth time. This is likely to be the case for other members of the workforce who are at risk and unable to rely on AV providing them with a safe workplace.

The consistent negligence and disregard for staff privacy is made more offensive by AV citing patient privacy as their reason for rejecting various safety initiatives, including those aimed at preventing occupational violence against our members. Health and safety representatives have been denied access to information or to be involved in the development of care plans for people who repeatedly assault paramedics.

AV have an appalling recent record on protecting members privacy with three serious breaches in the past year. Despite repeated assurances, AV have not been able to provide our members with a safe workplace. As such the VAU have made sure that this bulletin has been sent to the AV board members Shelly Park, Amanda Watt, Denise Heinjus, Dipak Sanghvi, Ian Forsyth, Dr Joanna Flynn AM, Peter Lewinsky AM, Vijaya Vaidyanath and Wenda Donaldson.

With their combined experience, accolades, and impressive list of credentials, perhaps they will be able to help find a way to stop broadcasting our members’ private information all over the internet!

In Solidarity