A man who went for a check-up at a public healthcare clinic two months ago was told his medical records listed him as having died in March.
The man is among at least a dozen other people who claim to have discovered that their medical files contained upcoming appointments for serious tests and surgeries they did not need, data about hospital admissions they never underwent, medication they were never prescribed, by doctors they never visited, for illnesses they never had.
Some of the mysterious anomalies are now the subject of an investigation by the Data Protection Commissioner.
Times of Malta spoke to many of those affected on condition of anonymity. All said that they worried their data would be meddled with further if they revealed their identity.
The man who was told he had ‘died’ is only in his early thirties and discovered the issue by chance, when he visited a clinic in June for a check-up.
“The receptionist asked me for my ID card number and I saw her input it in her computer. She looked at the screen, looked back at me and asked me to repeat the number,” the man told Times of Malta.
“I did, she inputted it again, looked at the screen again, looked back at me and said: ‘It says here you’ve been deceased since the end of March’.”
The scope and purpose of our investigations are primarily to establish facts while ensuring that the parties’ right to be heard is guaranteed throughout the process- Data Protection Commissioner
Staff at the clinic were very helpful and saw to his needs that day, he said, but he later had to go to Mater Dei’s medical records office to rectify the error.
“It could have been a genuine mistake, but it was very strange to me, because during the period I was marked as ‘deceased’ I travelled abroad, I worked and paid tax and even received the voting documents for the EU parliament and local council elections and voted normally without any hiccups,” he said.
“I only discovered the issue when I needed to visit the clinic.”
The man noticed another error on his medical record, however. It said that two days before he ‘died’, he was admitted to the hospital outpatients department, when in fact, he was not.
Even more mysteriously, his name and identity card number were correct on the records – only the data seemed to belong to someone else’s medical history.
Several people’s accounts of similar experiences have been surfacing online since lawyer Jason Azzopardi claimed a couple of weeks ago that Maltese ID card holders were “robbed” of their identities and that several ID numbers were allegedly assigned to other people through corrupt practices at Identità.
This week a magistrate upheld Azzopardi’s request for a magisterial inquiry into the alleged scam. So far, it remains unclear whether reports of hospital appointment errors are connected to these allegations.
Phantom hospital appointments
People who spoke to Times of Malta claim to have been contacted from hospital and clinics over the past months to confirm an upcoming appointment for a test, operation or treatment scheduled for the following weeks.
The appointments listed their correct name and ID card number, but the medical details were not theirs.
Appointments even included the name of the doctors who had presumably made the referral – only these people had no such conditions and never visited those doctors.
One mother said she received an appointment for her teenage child to undergo a medical test. A quick Google search revealed that this was for a very serious illness related to a major organ.
When she inquired about it with customer care, the representative was surprised the mother was not aware of the appointment as the system was showing there were three doctor referrals for it.
The mother said the appointment was cancelled but when she asked whether it was an error, the customer care representative was not able to confirm that.
Another man was called twice from hospital – last week and this week – to be reminded that he had a surgery coming up. Only it was not his surgery.
Others discovered their medical records showed they were admitted to hospital, underwent tests and were prescribed medication by several doctors. None of that ever happened to them.
Another man was called twice from hospital – last week and this week – to be reminded that he had a surgery coming up. Only it was not his surgery.
One man, who owns a business and employs over hundred people, turned livid when he discovered, by chance, that he was also affected.
He said he was reading social media comments about the issue this week, when he turned to his wife and told her that if it happened to him, he would be so mad he would probably sue the government.
“That’s when my wife said: ‘Why don’t you check your MyHealth account?’ We checked and sure enough, there it was – it said I went to a clinic for blood tests last September. That’s impossible, as I was living abroad back then,” he said.
“I’m now extremely concerned about my employees, because if my bank suspects I have committed some identity theft, they could close all my accounts. This is very serious.”
Another man – a professional who holds a PhD – said he received a letter about four months ago confirming a hospital appointment he had never scheduled.
“It was strange because the letter went to my parents’ house, and I have not lived there for more than two decades. And the name of the street wasn’t even the name the street has now, but a name it previously had back then.”
While some of those impacted worry about the repercussions of what could be identity theft, others appear unperturbed.
“I know I haven’t visited doctors for the condition they told me I had. I know I wasn’t admitted to hospital and that no doctor referred me to any surgery, so I knew I had nothing to worry about and dismissed it as an administrative error,” one man said.
Investigations opened
The Information and Data Protection Commissioner confirmed that he is investigating the issue but said it would be “presumptuous” to speculate on what the issue might be at this early stage.
“Investigations on complaint-based and ex-officio cases have been initiated or are in the final internal process of being launched,” Commissioner Ian Deguara said.
“The scope and purpose of our investigations are primarily to establish facts while ensuring that the parties’ right to be heard is guaranteed throughout the process. On the basis of those findings, legal deliberations will be made and a legally-binding decision issued.”
Corrective actions would then depend on a number of factors, including the nature and gravity of infringements and the degree of responsibility of the “controller”, he added.
‘Extremely serious allegations’
Health Minister JoEtienne Abela told Times of Malta he was concerned by the “extremely serious allegations”.
He said he was “not personally aware of any such complaints” but offered to look into the cases individually.
“We shall inform the people concerned that we will scrutinise their records for any inaccuracies,” he said.
Identità said it has no control or responsibility for the data validation techniques employed by the Mater Dei appointment system or any other third-party system, including that of private companies.
“It is essential that third-party IT systems implement strong and robust data validation methods to ensure their data is always up-to-date and compliant with GDPR regulations,” it said.
It also said it has not received such complaints and explained each ID card holder is assigned a unique number, “generated from the birth act number recorded when a child’s birth is registered, with the last two digits reflecting the year of birth” and that death certificates are recorded in the public registry system only when a death certificate has been issued by a doctor and when a family member registers the death.