In July 2018, the Office of the Australian Information Commissioner (OAIC) released a report summarising about notifications received under the notifiable data breaches (NDB) scheme between 1 April-30 June 2018.
These statistics reveal Australia’s health sector organisations remain vulnerable to data breaches. Approximately 20% of the reports were made by organisations in the health sector. Of those notifications from health sector-based organisations, the single largest cause of the breach was human error (responsible for 59% of the data breaches), with the remaining cause (responsible for 41% of the data breaches) being a malicious or criminal attack.
The OAIC’s report highlights that health sector organisations should proactively manage data security and to take steps to minimise the possibility of a reportable data breach. These steps include:
- taking steps to destroy or de-identify information that is no longer required (including information that is no longer required to comply with statutory obligations) to reduce the likelihood of a data breach;
- reviewing and updating the organisation’s information handling processes, procedures and systems (including the organisation’s privacy policy and collection statements) to ensure that they are consistent with the organisation’s legal obligations;
- embedding a culture of respect for privacy in the organisation through regular staff training on privacy; and
- developing, implementing and testing a data breach response plan.
Reduce the likelihood of a breach
Health sector organisations are required to destroy or de-identify personal information if the information is no longer required for the purpose(s) for which the information was collected and there are no legal requirements to keep the information. Lawfully reducing the amount of information held by an organisation is a good start to reducing exposure to a data breach.
Review and update information handling processes
This involves ensuring that technological measures, such as anti-virus software and firewall software, are up-to-date and that the security updates and releases are installed as soon as possible. But it also involves reviewing and discussing with contractors and suppliers how they handle personal information they receive from the organisation. Further, it requires the organisation to ensure that its privacy policy and statements on how it handles personal information are up-to-date, accurate and comprehensive.
Develop and embed a culture of respect for privacy
Most organisations in the health sector have a healthy respect for privacy, as it is part and parcel of the work they do. But, as the statistics demonstrate, a key contributor to notifiable data breaches are employee mistakes. Therefore, regular training on the importance of privacy and how the organisation handles the issue will contribute to minimising the risk of a notifiable data risk occurring. The training should focus on how a data breach might occur, what employees should do if they see or suspect a data breach occurring and how the organisation will handle the data breach.
Develop, implement and test a data breach response plan
The plan should set out how the organisation will respond to a report of a data breach and include information on who within and outside the organisation will manage the response to a data breach. It is important to regularly test the plan to make sure that if and when a data breach is detected, staff and executive can rely on the plan to address and resolve the breach.
Number of breaches reported - all sectors
Data breaches notified to the OAIC between February-June 2018 rose each month since the mandatory reporting scheme took effect on 22 February 2018:
Number of individuals affected - all sectors
Most reported breaches affected up to 1,000 individuals per breach (200 breaches notified). The OAIC was notified of 23 breaches affecting 1,001-5,000 individuals, six breaches affecting 5,001-10,000 individuals, three breaches affecting 10,001-25,000 individuals, two breaches affecting 50,001-100,000 individuals and one breach affecting over 1 million individuals.
Kinds of information affected - all sectors
Data breaches tend to involve multiple categories of personal information. Per the OAIC:
- 89% of reported breaches involved “contact information” (e.g., an individual’s home address, phone number and/or email address);
- 42% involved financial details;
- 39% involved “identity information” (e.g., information used to verify an individual’s identity, such as driver’s licence and passport details);
- 25% involved “health information (e.g., information about an individual’s current health, the health services the individual received and/or the individual’s wishes regarding future health services);
- 19% involved tax file number information; and
- 8% involved other sensitive information.
Source of data breaches - health sector
Of the 49 breaches notified from health sector organisations, human error caused 29 breaches, and malicious or criminal attack caused the remaining 20 breaches.
The OAIC further broke down the “human error” causes of data breaches as follows:
The OAIC reported that three types of malicious or criminal attack data breaches affected information held by organisations in the health sector (compared to all sectors), namely:
According to the OAIC, “cyber incidents” could be classified as follows:
For further information, contact Michael Gorton AM, Andrew Chalet and Craig Subocz.
If you’d like to stay up to date with insights from the health sector, please sign up here.