Report reveals health needs to take data security more seriously

The health sector topped the list of sectors that notified the Office of the Australian Information Commissioner (OAIC) of eligible data breaches since 22 February, according to the Commissioners’ first quarterly report since the new mandatory data breach reporting legislation came into effect.

Key findings impacting healthcare

 The report revealed the OAIC received 63 data breach notifications under the Notifiable Data Breaches (NDB) scheme during the first six weeks of the scheme’s operation. In the 2016–17 financial year, the OAIC received 114 data breach notifications on a voluntary basis. Of the 63 Australian organisations affected, 24 per cent of them were in healthcare.

Key statistics from the first quarterly report include:

• Top five sectors that notified the OAIC of eligible data breaches included health service providers (24 per cent of notifications), legal, accounting and management services (16 per cent), finance (13 per cent), private education (10 per cent), and charities (6 per cent).
• 78 per cent of eligible data breaches were reported to involve individual’s contact information. 33 per cent were reported to involve health information and 30 per cent to involve financial details.
• 51 per cent of the eligible data breach notifications received indicated that the cause of the breach was human error. 44 per cent of breaches were reported to be the result of malicious or criminal attack, and 3 per cent the result of system faults.
• 59 per cent of data breach notifications reported that the personal information of between one and nine individuals was affected. 90 per cent of data breach notifications related to breaches involving the personal information of less than 1,000 individuals.

Human error at the root of most data breaches

Interestingly, Falk highlighted just over half of the eligible data breach notifications the OAIC received in the first quarter indicated that the cause of the breach was human error.

“In the 2016–2017 financial year 46 per cent of the data breach notifications received by the OAIC voluntarily were also reported to be the result of human error,” The OAIC’s acting Australian Information Commissioner and acting Privacy Commissioner, Angelene Falk, said. “This highlights the importance of implementing robust privacy governance alongside a high-standard of security. The risk of a data breach can be greatly reduced by implementing practices such as Privacy Impact Assessments, information security risk assessments, and training for any staff responsible for handling personal information.”

About the NDB Scheme

The new NDB scheme, requires entities with obligations to secure personal information under the Privacy Act 1988 to notify individuals when their personal information is involved in a data breach that is likely to result in serious harm. These data breaches are referred to as ‘eligible data breaches’. Entities must also notify the OAIC about eligible data breaches.

The scheme applies to all kinds of personal and sensitive information. Examples include names, addresses, email addresses, genders, family members, financial information, tax file numbers and medical history.
“A data breach notification provides individuals with the chance to take steps that reduce their risk of experiencing harm, such as changing relevant passwords for online accounts. This can reduce the overall impact of a breach,” Falk added. “Over time, the quarterly reports of the eligible data breach notifications received by the OAIC will support improved understanding of the trends in eligible data breaches and promote a proactive approach to addressing security risks.”