| Published by Craig Subocz, Michael Gorton AM, Andrew Chalet
In July 2018, the Office of the Australian Information Commissioner (OAIC) released a report summarising about notifications received under the notifiable data breaches (NDB) scheme between 1 April-30 June 2018.
These statistics reveal Australia’s health sector organisations remain vulnerable to data breaches. Approximately 20% of the reports were made by organisations in the health sector. Of those notifications from health sector-based organisations, the single largest cause of the breach was human error (responsible for 59% of the data breaches), with the remaining cause (responsible for 41% of the data breaches) being a malicious or criminal attack.
The OAIC’s report highlights that health sector organisations should proactively manage data security and to take steps to minimise the possibility of a reportable data breach. These steps include:
Reduce the likelihood of a breach
Health sector organisations are required to destroy or de-identify personal information if the information is no longer required for the purpose(s) for which the information was collected and there are no legal requirements to keep the information. Lawfully reducing the amount of information held by an organisation is a good start to reducing exposure to a data breach.
Review and update information handling processes
Develop and embed a culture of respect for privacy
Most organisations in the health sector have a healthy respect for privacy, as it is part and parcel of the work they do. But, as the statistics demonstrate, a key contributor to notifiable data breaches are employee mistakes. Therefore, regular training on the importance of privacy and how the organisation handles the issue will contribute to minimising the risk of a notifiable data risk occurring. The training should focus on how a data breach might occur, what employees should do if they see or suspect a data breach occurring and how the organisation will handle the data breach.
Develop, implement and test a data breach response plan
The plan should set out how the organisation will respond to a report of a data breach and include information on who within and outside the organisation will manage the response to a data breach. It is important to regularly test the plan to make sure that if and when a data breach is detected, staff and executive can rely on the plan to address and resolve the breach.
Number of breaches reported – all sectors
Data breaches notified to the OAIC between February-June 2018 rose each month since the mandatory reporting scheme took effect on 22 February 2018:
Number of individuals affected – all sectors
Most reported breaches affected up to 1,000 individuals per breach (200 breaches notified). The OAIC was notified of 23 breaches affecting 1,001-5,000 individuals, six breaches affecting 5,001-10,000 individuals, three breaches affecting 10,001-25,000 individuals, two breaches affecting 50,001-100,000 individuals and one breach affecting over 1 million individuals.
Kinds of information affected – all sectors
Data breaches tend to involve multiple categories of personal information. Per the OAIC:
Sources of data breaches – health sector
Of the 49 breaches notified from health sector organisations, human error caused 29 breaches, and malicious or criminal attack caused the remaining 20 breaches.
The OAIC further broke down the “human error” causes of data breaches as follows:
The OAIC reported that three types of malicious or criminal attack data breaches affected information held by organisations in the health sector (compared to all sectors), namely:
According to the OAIC, “cyber incidents” could be classified as follows:
If you’d like to stay up to date with insights in the health sector, please sign up here.
After several stalled attempts, on 13 February 2017, the Australian Senate passed legislation amending the Privacy Act 1988 (Cth) requiring regulated entities to report "eligible data breaches" to the Privacy Commissioner and to affected individuals.