Cyber attack

Health sector most vulnerable to data breaches

Craig Subocz, Michael Gorton AM, Andrew Chalet

In July 2018, the Office of the Australian Information Commissioner (OAIC) released a report summarising about notifications received under the notifiable data breaches (NDB) scheme between 1 April-30 June 2018.

These statistics reveal Australia’s health sector organisations remain vulnerable to data breaches. Approximately 20% of the reports were made by organisations in the health sector. Of those notifications from health sector-based organisations, the single largest cause of the breach was human error (responsible for 59% of the data breaches), with the remaining cause (responsible for 41% of the data breaches) being a malicious or criminal attack.

The OAIC’s report highlights that health sector organisations should proactively manage data security and to take steps to minimise the possibility of a reportable data breach. These steps include:

  • taking steps to destroy or de-identify information that is no longer required (including information that is no longer required to comply with statutory obligations) to reduce the likelihood of a data breach;
  • reviewing and updating the organisation’s information handling processes, procedures and systems (including the organisation’s privacy policy and collection statements) to ensure that they are consistent with the organisation’s legal obligations;
  • embedding a culture of respect for privacy in the organisation through regular staff training on privacy; and
  • developing, implementing and testing a data breach response plan.

Reduce the likelihood of a breach

Health sector organisations are required to destroy or de-identify personal information if the information is no longer required for the purpose(s) for which the information was collected and there are no legal requirements to keep the information. Lawfully reducing the amount of information held by an organisation is a good start to reducing exposure to a data breach.

Review and update information handling processes

This involves ensuring that technological measures, such as anti-virus software and firewall software, are up-to-date and that the security updates and releases are installed as soon as possible. But it also involves reviewing and discussing with contractors and suppliers how they handle personal information they receive from the organisation. Further, it requires the organisation to ensure that its privacy policy and statements on how it handles personal information are up-to-date, accurate and comprehensive.

Develop and embed a culture of respect for privacy

Most organisations in the health sector have a healthy respect for privacy, as it is part and parcel of the work they do. But, as the statistics demonstrate, a key contributor to notifiable data breaches are employee mistakes. Therefore, regular training on the importance of privacy and how the organisation handles the issue will contribute to minimising the risk of a notifiable data risk occurring. The training should focus on how a data breach might occur, what employees should do if they see or suspect a data breach occurring and how the organisation will handle the data breach.

Develop, implement and test a data breach response plan

The plan should set out how the organisation will respond to a report of a data breach and include information on who within and outside the organisation will manage the response to a data breach. It is important to regularly test the plan to make sure that if and when a data breach is detected, staff and executive can rely on the plan to address and resolve the breach.

Number of breaches reported - all sectors

Data breaches notified to the OAIC between February-June 2018 rose each month since the mandatory reporting scheme took effect on 22 February 2018:

Types of human error responsible

Number of individuals affected - all sectors

Most reported breaches affected up to 1,000 individuals per breach (200 breaches notified). The OAIC was notified of 23 breaches affecting 1,001-5,000 individuals, six breaches affecting 5,001-10,000 individuals, three breaches affecting 10,001-25,000 individuals, two breaches affecting 50,001-100,000 individuals and one breach affecting over 1 million individuals.

Kinds of information affected - all sectors

Data breaches tend to involve multiple categories of personal information. Per the OAIC:

  • 89% of reported breaches involved “contact information” (e.g., an individual’s home address, phone number and/or email address);
  • 42% involved financial details;
  • 39% involved “identity information” (e.g., information used to verify an individual’s identity, such as driver’s licence and passport details);
  • 25% involved “health information (e.g., information about an individual’s current health, the health services the individual received and/or the individual’s wishes regarding future health services);
  • 19% involved tax file number information; and
  • 8% involved other sensitive information.

Source of data breaches - health sector

Of the 49 breaches notified from health sector organisations, human error caused 29 breaches, and malicious or criminal attack caused the remaining 20 breaches.

The OAIC further broke down the “human error” causes of data breaches as follows:

Graph - Number of Reported Breaches

The OAIC reported that three types of malicious or criminal attack data breaches affected information held by organisations in the health sector (compared to all sectors), namely:

Breakdown of malicious attacks

According to the OAIC, “cyber incidents” could be classified as follows:

Cyber incidents

For further information, contact Michael Gorton AM, Andrew Chalet and Craig Subocz.

If you’d like to stay up to date with insights from the health sector, please sign up here

View related insights

doctor-working-at-the-medical-network-on-the-tablet 360 x 240

Health Bulletin 4 June 2021

4 Jun 2021

The latest insights from our Health Law team.


Health Bulletin 25 May 2021

25 May 2021

The latest insights from our Health Law team.

stethoscope-on-white-background 360 x 240

Can trainees’ personal reflections be used in Court? (Revisited)

17 May 2021

The 2019 case in the UK of Dr Bawa-Garba has raised concerns in Australia and New Zealand for young doctors and trainees.