Names (other than Canterbury District Health Board and Mr Turori Chapman) have been removed to protect privacy. Identifying letters are assigned in alphabetical order and bear no relationship to the person's actual name.
HDC investigation into breach of security at Canterbury DHB
The Health and Disability Commissioner, Ron Paterson, has concluded that no patients were harmed during the security breach at Christchurch Hospital in late 2006.
Mr Paterson has completed an inquiry into the circumstances that allowed Mr Turori Chapman to fraudulently obtain an identity badge from Canterbury DHB, giving him access to patient areas, patient information, and patients from 6 to 10 October 2006.
The investigation, which commenced in October 2006, found that Mr Chapman made a calculated decision to fraudulently obtain an identity badge, and succeeded in his attempt. Although the systems to obtain an identity badge at CDHB were imperfect, this became apparent only when examined in the light of Mr Chapman's deception.
20 February 2007
Mr Gordon Davies
Chief Executive Officer
Canterbury District Health Board
PO Box 1600
Dear Mr Davies
Commissioner initiated investigation
Our ref: 06/15763
I refer to Canterbury District Health Board's (CDHB) legal representative's letter of 7 February 2007 responding to my provisional decision on the investigation of matters relating to Mr Turori Chapman obtaining a CDHB identity badge, and his subsequent contact with patients. I note that your legal representative advised that CDHB will perform an audit prior to 30 April 2007 to ensure that the amended procedure for supplying identification badges is being complied with.
Having carefully considered the issues and the information gathered during the investigation, I have concluded that the systems in place at CDHB for preventing such an incident were generally appropriate and that further investigation is unnecessary. This decision is taken in accordance with section 38(1) of the Health and Disability Commissioner Act 1994.
The purpose of this letter is to advise CDHB of my decision, and to set out the information on which it is based. The rest of this letter is substantially unchanged from my letter of 17 January 2007.
As you are aware, the following issues were identified for investigation:
The appropriateness of Canterbury District Health Board's systems to protect patients, in particular:
- the issuing of identity badges
- the security of the computer network
- the security of access to clinical treatment areas and clinical information.
The adequacy of Canterbury District Health Board's response to the issuing of the false identity badge in October 2006 to Mr Turori Chapman.
During the course of my investigation, I reviewed information from CDHB and the New Zealand Police. My Office has also spoken to Ms A and Mrs B, two people who were in contact with Mr Turori Chapman when they were patients in Christchurch Hospital.
At approximately 3pm on 4 October 2006, Mr Chapman introduced himself at the Corporate Reception desk of Princess Margaret Hospital (PMH) as Ms Tess Chapman, and requested to see Mr C, Executive Director, Maori and Pacific Health. Mr C stated:
"I had an already arranged meeting at the time and asked reception to ask her to wait. I did not know who Tess Chapman was and was not going to cut my pre-arranged appointment short …
About 5 minutes later, reception told me that Tess Chapman had been paged and that she would contact me later. I never actually met or talked to her (him).
Later that day I looked up Tess Chapman on our intranet phone book to find out what she may have wanted to discuss. I was unable to find the name (not an unusual occurrence), so dropped the matter until I heard back)."
On 5 October, Mr Chapman called at the Chaplain's office at Christchurch Women's Hospital and asked one of the chaplains whether the Chaplain to Maori was present.
At 7.30am on 6 October, Mr Chapman signed out a hospital vehicle from PMH.
Later in the morning, Mr Chapman returned to PMH. He presented at the reception desk on the fifth floor. Ms D stated:
"I am employed as a clerk staffing the Reception of the Fifth floor of the Princess Margaret Hospital amongst other duties. Attached to my computer is a web camera that I use for taking staff photographs that are then emailed to the Identity Badge Administrator at the Christchurch Women's Hospital Reception.
At approx 11.30[am] on Friday 6 October 2006, I was approached by a person who said he was Tess Chapman. He appeared to be female. … He either gave me a Security Card Information Sheet Form filled out to the effect that he was a Clinical Nurse Specialist working for [Ms E], Community Therapy Team … to whom the badge was to be sent, OR he verbally informed me of that information.
I had no reason to suspect [Mr] Chapman and emailed the photograph to the Identity Badge Administrator as an attachment to the delivery instructions. [Mr] Chapman then left."
The email sent by Ms D with the attached photograph stated:
"Tess Chapman Clinical Nurse Specialist send to [Ms E] Community therapy 3rd floor Heathcote PMH."
Ms F, Identity Badge Administrator, stated:
"On Friday the 6th of October 2006 at about 11.29[am] I received an email from [Ms D] at the Princess Margaret Hospital requesting that I use the photograph attached to produce an identity badge for Tess Chapman to send to [Ms E], Community Therapy Team, Heathcote Building, The Princess Margaret Hospital.
At about 11.50am … a person who I now know to be Turori Chapman arrived at my office and told me that he had had his photograph taken at the Princess Margaret Hospital and asked me if he could have his identity badge. He did not have an Identity Badge Application Form so I told him to come back with a form. About 10 minutes later he returned with an apparently correct application form. I processed the application and at 12.03pm I issued him with an identity badge. I kept the email for my records but did not keep the printed application form.
I do not recall whether the application form had a cost code on it. I think that I disposed of the application form because I already had a computer record from [Ms D]."
The identity badge included an electronic 'swipe' section. Mr Chapman was granted access using the card to "General Staff Access" at PMH, and "All Cards Access (General Staff Access)".
Ms F added that she can not recall whether the form had been signed. The normal procedure is to give the completed badge at the time to the intended holder, and the employee number is not required to produce the badge.
"At the time of the incident, the process for obtaining an identity badge … was for an employee's line manager to complete an application form, available on the CDHB intranet, and send the employee to the Identity Badge Administrator for a photograph to be taken and a badge to be produced. Staff working at the Princess Margaret Hospital …, Burwood and Hillmorton Hospitals are able to have their photograph taken by the designated staff member who would email the photo to the Identity Badge Administrator who is based at Christchurch Women's Hospital, who would post the badge to the employees' line manager."
From 12.34 until 12.48pm, the computer record shows that Mr Chapman was denied access eight times to areas, as his badge did not allow access.
At 1.04pm, Ms F added further access to the card to allow "CWH General Staff Access". She does not now recall why she made an entry an hour later. This allowed Mr Chapman access to areas previously denied.
Mr Chapman chose not to agree to an interview with my Office. In his Police interview, recorded on videotape, Mr Chapman stated that he obtained an identity badge by walking into the hospital and joining a queue in the ID badge office. He stated that he had his photograph taken and the badge issued at the same time, and he completed no form.
CDHB provided a copy of the form to be completed. The information input by Ms F is as follows: name ("Tess Chapman"); position ("Clinical Nurse"); Department ("Specialist"); Division ("TPMH"); Cost Centre ("456"); PIN ("3645"). The section for the employee number was not completed. The form included a section that required a signature from the manager requesting the badge ("MUST BE COMPLETED BY CONTROLLING OFFICER").
The badge was passed to Mr Chapman by Ms F, and not posted to the requesting manager.
Contact with patients
In his Police interview, Mr Chapman denied making any contact with patients. However, CDHB identified that he had written in the clinical notes for three patients (Mr G, Ms H, Mr I), and may have had contact with other three other patients (Mrs J, Mrs B, Ms A).
Mr Chapman made two entries in Mr G's notes, both on 9 October, neither timed:
"CNS T Chapman - Clinical Head Maori Health Services.
Visited [Mr G] will follow-up with whanau contact.
Revisited - family contact."
Mr G was contacted by CDHB to advise that he had been visited by Mr Chapman. Mr G stated in an email dated 15 November 2006 that he was not aware of Mr Chapman ever talking to him.
Mr Chapman wrote in Ms H's notes on 10 October:
"SEEN BY CNS VERY UNRESPONSIVE"
Attempts were made by my Office to contact Ms H to discuss Mr Chapman's visit, but she has left her address, with no forwarding or other contact details available.
Mr Chapman visited Mr I at 12.15pm on 9 October:
"Maori Service Team - visited [Mr I] not here will call back. T Chapman CNS."
There is no evidence that Mr Chapman returned to see Mr I.
CDHB advised that Mrs J was receiving palliative care for a major malignancy. As there is no record made of Mr Chapman visiting Mrs J, it was decided it would be inappropriate, in the circumstances, to approach her.
When contacted by my Office, Mrs B, who had been a patient in hospital at the time stated, "I can't recall a visit from [Mr] Chapman."
Ms A was a Clinical Nurse Specialist at CDHB. She became unwell while at work and was admitted to the Emergency Department. While she was there, Mr Chapman entered, introducing himself as the (female) clinical nurse specialist for the Emergency Department. Mr Chapman asked to check Ms A's wrist band, asked her if she was happy with her care, and then left. Ms A recalls that Mr Chapman went into the adjoining bay and asked the same questions of another patient. Ms A stated that Mr Chapman was very plausible.
Mr Chapman also visited a child on a ward on 10 October. The charge nurse requested to see the referral notes, and Mr Chapman said he would get them from his receptionist. Mr Chapman stayed briefly with the child then left. The nurse was present at all times.
On the morning of 10 October, a nurse on one of the wards contacted a member of the Maori Health Team, as a patient who Mr Chapman had seen was for discharge. The nurse was requesting a follow-up visit from the Maori Health Team.
Following inquiries during the day, at 6.13pm the security access privileges on Mr Chapman's identity badge were removed as there were sufficient concerns that Mr Chapman was not a legitimate member of staff. By midday on 11 October, CDHB had completed the inquiries, advised staff in the hospital, and informed the Police.
CDHB stated that changes have been made as a result of this incident:
"We have added an additional step into the procedure for the issue of ID badges and access cards. Immediately following the event, the issuing Policy was revised so that the applicant's line manager needs to send a confirmation email to the Identity Badge Administrator before a card will be issued. This was communicated on 12 October by the Administrator who will not process applications until that step is completed. We have also updated our Policy and application form … to reflect the additional step.
Our Nursing Policy states that a signed form needs to be completed by the Charge Nurse and presented to the uniform room. Staff in the uniform room are contracted rather than employed by CDHB. Following the incident, we have reviewed the issuing of uniforms by the contractor who is aware of the Nursing Policy but appears to have been issuing uniforms on production of their ID badge only, as was the case with Mr Chapman. We have required the contractor to comply with the Nursing Policy and to make improvements to the documentation they complete when issuing a uniform. You will note … that a uniform was obtained on 10 October, the last day Mr Chapman accessed our sites.
One of the main reasons we have PC access in the Christchurch Hospital Cafeteria is so that patients or their families can access emails and also obtain useful information such as maps and other material which may assist the patient or their family. We are currently reviewing whether such access should include the full CDHB intranet which, as noted, includes internal telephone numbers and cost codes."
Clearly, the public should be able to trust hospitals to issue identity badges only to authorised members of staff. Patients and their families put great trust in hospital staff, and it is essential that hospitals have systems that are secure enough to prevent abuse. In this case, a dishonest yet plausible person was able to circumvent the systems to enable him to obtain a seemingly legitimate identity card.
Some details remain unclear, as Mr Chapman's evidence to the Police is not credible. In particular, it is not clear whether there was a form requesting the creation of an identity badge. Ms F stated that there was a form, but she did not keep it for her records as she had an email from Ms D which had accompanied the photograph. I find it difficult to understand why Ms F would retain an email from a clerk on reception duty, yet discard the formal record of the badge request, which was required to have the signature of the requesting manager. Ms F described the form she saw as "apparently" complete, yet the computer record (supposedly completed from the form) omits the department where Mr Chapman claimed to be working, and if there was a signature on the form, it was a forgery. It is certainly of concern if Ms F simply discarded the form; equally, it is concerning if she went ahead and issued the badge without the requisite form. Ms F is also unable to recall the subsequent amendment to the access on the badge, which allowed Mr Chapman access to areas previously denied him.
CDHB advised that the completed badge was to be sent to the authorising manager, and the email from Ms D specifically requested that the badge be sent to the manager. However, Ms F stated that normal practice was to pass the badge directly to the applicant, and she chose to ignore Ms D's request.
What this case clearly shows is that the system for issuing identity badges was the responsibility of two relatively junior members of hospital administrative staff, and that a convincing person with (or without) an "apparently" completed form - with, at best, a forged signature on the form - was able to obtain a badge.
Although the system for obtaining an identity badge was flawed and open to abuse from a dishonest person, this is obvious only with the benefit of hindsight. Since the incident, CDHB has tightened up the procedure, so that an email is required from the applicant's line manager before the badge is issued. I am satisfied that this action is adequate to prevent a similar event occurring.
Having taken receipt of an identity badge, Mr Chapman had relatively wide access around CDHB. On those times when there was contact, staff were presented with what appeared to be a legitimate member of staff, with a seemingly legitimate reason for contacting the patients and reading the notes. However, having reviewed the information provided, I am satisfied that no act by Mr Chapman affected the treatment or care of the patients with whom he was in contact.
Response to incident
When presented, albeit fortuitously, with evidence that there may have been someone masquerading as a nurse, CDHB reacted promptly and appropriately. Access using the identity badge was denied, and staff were warned of Mr Chapman's presence. Information was handed to the Police, and inquiries were made to find out if Mr Chapman had been in contact with patients. When it was discovered that there had been contact, CDHB followed up by contacting the patients.
Initially it was thought that Mr Chapman had been involved in sending the email that authorised the badge. This was not the case, and there is no evidence that the security of the hospital computer network was jeopardised.
Mr Chapman made a calculated decision to fraudulently obtain an identity badge, and succeeded in his attempt. Although the systems to obtain an identity badge at CDHB were imperfect, this became apparent only when examined in the light of Mr Chapman's deception. I am satisfied that no patient came to harm as a result of Mr Chapman's actions, and that CDHB has acted appropriately as a result of the incident. Accordingly, I have decided to take no further action.
I request that CDHB advise me, by 31 May 2007, of the results of an audit into compliance with the identity badge procedure which is to be performed by 30 April 2007.
I intend to release the attached statement on 28 February 2007, and to place an anonymised copy of this letter on the HDC website.
Thank you for your cooperation with my investigation. The file is now closed.
Health and Disability Commissioner