DWF logo

Search

DWF logo

            Data Breaches on the rise in the Health Sector

            Are your medical records in safe hands? Theft of paperwork and storage devices in the Health sector is on the rise.

            Date: 03/10/2018

            The Notifiable Data Breaches Scheme (the Scheme), requires Australian Government agencies and various organisations to provide notification of certain data breaches to the Australian Information Commissioner. In April 2018 we reported on the first Notifiable Data Breaches Quarterly report. On 31 July 2018, the Office of the Australian Information Commissioner (OAIC) issued its Quarterly Report for the period 1 April to 30 June 2018 (the June Quarter). This paper highlights key statistics of the most recent report with a particular focus on the health sector.

            In its most recent report, the OAIC confirmed that the June Quarter involved 242 reported data beaches. At first glance, this appears to be a significant increase from the 63 breaches for the period January to 20 March 2018 (the Previous Quarter), however the Previous Quarter was not a full one, as the Scheme did not commence until 22 February 2018.

            Of the 242 breaches notified in the June Quarter, 36% were attributable to human error, 59% were the result of malicious or criminal attacks and 5% were a result of system faults. The cause of the human errors were as follows: 

            • 22 notifications - involved emails containing personal information which was inadvertently sent to the wrong recipient;

            • 12 notifications - involved an unintended release and/or publication of personal information;

            • 10 notifications - involved personal information sent by post to the wrong mail recipient.  

            In the June Quarter, ONE human error involving the loss of a storage device had an impact on 1199 individuals who were affected by the breach. 

             

            Malicious or criminal attacks

            The majority of the breaches in the June Quarter were attributable to malicious or criminal attacks - deliberate acts to obtain information for financial or other gain. The attacks included cyber incidents such as phishing, malware, ransomware, brute-force attacks, compromised or stolen credentials by other means, as well as social engineering or impersonation, and actions of rouge employees or insider threats. 

             

            The Health sector

            For the June Quarter, 49 of the 242 (20%) of the breaches involved the health sector, an increase from the 15 (24%) reported breaches in the Previous Quarter.  As per the Previous Quarter, the June Quarter also saw the health sector involved in the greatest proportion of reported breaches. This was followed closely with 36 notifications by the finance sector.  
            Relevantly, these statistics do not include notifications under the My Health Records Act 2012, which are subjected to different notification requirements.  Nor do the statistics include breaches of State or Territory public hospitals or health services, as a health service provider for the purpose of the Scheme, generally includes any private sector entity that provides health services within the meaning of s 6FB of the Privacy Act. 

             

            Health information continues to be a lucrative target for hackers with weaponized ransomware, misconfigured cloud storage buckets and phishing emails dominating the health attacks. These threats are likely to continue and cybercriminals are likely get more creative. Whilst data breach notification requirements appear to be a positive step for identifying data insecurity, further reform, investment and insurance is necessary to ensure stronger cybersecurity.

             

            Evidently, much more also needs to be done to minimise human errors.

             

            If you have any general enquiries on any Health Law related matters please contact Hamish Broadbent or Natalie Mason.

             

             

            Related people

            Hamish Broadbent

            • Principal Lawyer

            We use cookies to give you the best user experience on our website. Please let us know if you accept our use of cookies.

            Learn More

            Your Privacy

            When you visit any web site, it may store or retrieve information on your browser, mostly in the form of cookies. We mainly use this information to ensure the site works as you expect it to, and to learn how we can improve the experience in the future. The information does not usually directly identify you, but it can give you a more personalised web experience.
            Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change permissions. However, blocking some types of cookies may prevent certain site functionality from working as expected

            Functional cookies

            (Required)

            These cookies let you use the website and are required for the website to function as expected.

            These cookies are required

            Tracking cookies

            Anonymous cookies that help us understand the performance of our website and how we can improve the website experience for our users. Some of these may be set by third parties we trust, such as Google Analytics.

            They may also be used to personalise your experience on our website by remembering your preferences and settings.

            Marketing cookies

            These cookies are used to improve and personalise your experience with our brands. We may use these cookies to show adverts for our products, or measure the performance of our adverts.