Private health providers called out in quarterly Australian data breach report

OAIC finds private health service providers and finance are the two most-breached sectors from April to end of June.
Written by Chris Duckett, Contributor

The Office of the Australian Information Commissioner (OAIC) has released its first full quarterly update since the Notifiable Data Breach scheme (NDB) came into effect in February, and once again, private health continues to be the most breached sector.

For the period April to June, OAIC received 242 notifications, an increase of more than 380 percent compared to the previous period's 63 notifications. One breach impacted over 1 million Australians, the office said, with 52 affecting between 100 and 1,000 people, 55 between 11 and 100 individuals, 42 hitting from two to 10 people, and 51 events affecting a single person.

Nearly half of all notified breaches involved financial details, and almost all involved contact information such as home address, phone number, or email address.

Broken down by sector, private health reported 49 breaches, followed by finance on 36, legal and accounting on 20, education with 19, and business and professional organisations reporting 15 breaches.

The report only covers private health service providers under the NDB, OAIC said, with public hospitals and health services covered by the My Health Records Act and hence not included in the report.

Private health was the only sector called out for insider threats, with three of the breaches falling under the rogue employee or insider threat banner. Theft of paperwork or storage device accounted for nine breaches within health, with cyber incidents including hacking, phishing, ransomware, and brute-force attacks responsible for eight breaches.

Human error was responsible for 59 percent of the breaches within health, with providers sending information to the wrong people the leading cause.

Compared to the last report, health notifications jumped from 15 to 49 in this quarter.

Finance experienced a similar spike, rising from eight breaches to 36 breaches, with human error and malicious attacks roughly equal as causes.

On the human error side, sending information to the wrong people led the way, while cyber incidents was a clear leader in the malicious attacks category. Within the cyber incidents, half were phishing attacks, stolen or compromised credentials accounted for 36 percent, while ransomware and brute force attacks made up 7 percent each.

The finance sector also reported one breach in its sector was a result of "system faults".

"Notifications this quarter show that one of the key aims of the scheme -- ensuring individuals are made aware when the security of their personal data is compromised -- is being met," acting Australian Information Commissioner and acting Privacy Commissioner Angelene Falk said.

"The OAIC continues to work with entities to ensure compliance with the scheme, offer advice and guidance in response to notifications, and consider appropriate regulatory action in cases of non-compliance."

In recent weeks, the Australian government has attempted to hose down privacy and security concerns over its centralised digital health record system, My Health Record.

Must read: Very little is stopping My Health Record being hooked up to robo-debt

Minister for Health Greg Hunt has repeated assertions that the system is safe and has a higher level of security than banks.

"The records are of course much more secure than in a GP clinic, which generally they have very, very high standards in any event, but this has a 24-hour cybersecurity centre," Hunt said last week.

"It's been tested to military grade. Some of the intelligence agencies have actually done the testing. And there's this 24-hour cybersecurity, which doesn't apply in relation to other records."

Concerns have been raised about warrantless access to medical data by law enforcement agencies and other arms of government, as well as health providers being able to look up the data of any citizen they want.

Also see: The My Health Record story no politician should miss

In response, Hunt has said the Australian Digital Health Agency (ADHA) has a policy to only hand data over under court order or warrant, even though the legislation allows for ADHA to pass information on to any government agency that can make a case for increasing public revenue.

The head of the Australian Medical Association, Dr Tony Bartone, is set for discussions with Hunt this week to make the digital record meet the current requirements for doctors to disclose a patient's medical record, namely only under a court order or warrant.

Related Coverage

PageUp says it is 'probable' customer data was externally accessed

An update from the SaaS HR provider has said it believes the accessed data may include names, street addresses, email addresses, and telephone numbers of its clients.

Malware hits HR software firm PageUp with possible data compromise

The company said the malware attack has potentially exposed the names and contact details of its clients, such as Telstra.

Dimension Data pins education as Australia's most attacked industry

Dimension Data has reported that the education sector topped the list of attacked industries in Australia in the past year, accounting for 26 percent of total attacks

Information on thousands of clients accessed in Family Planning NSW breach

Thousands of people's personal information may have been compromised after Family Planning NSW's online databases suffered a ransomware attack last month.

My Health Record opt-out period from July 16 to October 15, 2018

The window for Australians to opt out of an electronic health record has been announced by the government.

Reported breaches not painting complete picture of Australian security landscape

Although 63 data breaches were reported to the Office of the Australian Information Commissioner in less than six weeks, FireEye's Mandiant has warned the figure is higher, but organisations are unsure if their breach fits the brief.

Editorial standards