Health sector hit by data breaches
Angelene Falk: The information commissioner says awareness of the program is growing
The Office of the Australian Information Commissioner was notified of more than two data breaches per day in the last quarter as part of the new notification scheme, with the health sector the worst hit.
The OAIC has published its much-anticipated quarterly report for April to June of the mandatory data breach scheme. It’s the first full quarter that the scheme has been in operation, with 242 notifications being reported.
With 63 breaches reported in the first quarter, more than 300 data breaches have been reported by Australian businesses and agencies in the first half of this year.
The private health sector reported the most data breaches during the quarter, amid widespread concerns over the security of the government’s My Health Record service.
The federal government’s new scheme requires all Australian government agencies and any organisation or company with an annual turnover of $3 million or more to notify individuals if their information had been exposed in a breach that was likely to cause “serious harm”. The entity must also report the breach to the OAIC.
Acting privacy and information commissioner Angelene Falk said the sharp increase in reported breaches showed awareness of the scheme is improving among Australian businesses and agencies.
“Notifications this quarter show that one of the key aims of the scheme – ensuring individuals are made aware when the security of their personal data is compromised – is being met,” Ms Falk said.
“Data breach notification to individuals by the entities experiencing the data breach can equip individuals with the information they need to take steps to reduce their risk of experiencing harm, which can reduce the overall impact of a breach,” she said.
“Notification to the OAIC also increases transparency and accountability. The report provides important information on the causes of data breaches so all entities can learn lessons and put in place prevention strategies.”
The majority of the reported breaches were the result of “malicious or criminal” attacks. While the first quarter of the scheme saw most breaches resulting from human error, nearly 60 per cent of breaches in the latest quarter were the result of incidents of compromised credentials, among other malicious attacks.
Human error was still responsibke for more than a third of the breaches, including individuals sending personal information to the wrong email address.
Most of the breaches impacted fewer than 100 people, while 38 per cent impacted 10 or fewer individuals.
One of the reported breaches impacted more than one million people, and two impacted more than 50,000.
The majority of the reported breaches involved personal contact information, with 102 featuring financial details being obtained, and 94 with identity information.
Nearly 50 of the breaches were in the private health sector, with the OAIC clarifying that this didn’t involve the government’s highly controversial My Health Record service.
The high number of breaches in the health sector is likely to heighten privacy and security concerns surrounding the service, which recently switching to being opt-out.
A number of digital rights advocates have said that the digital health record could act as a “honeypot” for hackers, with very sensitive medical records potentially breached.
“There are inherent risks in having a single central database of valuable health data. It’s a very attractive target for cyber criminals. We believe a data breach is just a matter of time,” Electronic Frontiers Australia board member Justin Warren told InnovationAus.com.
It comes as the wait for a permanent Australian privacy and information commissioner continues, despite the agency saying it was “literally checking referees” in May.
Ms Falk has been acting commissioner since Timothy Pilgrim’s retirement from the roles in late March.
The hiring process had been expected to be completed by late June, but a month later no announcement has been made.
With the increased workload from the new data breach notification scheme, and a heightened public awareness of data security and privacy, there are concerns that the OAIC is under-funded and under-resourced.
Despite receiving an additional $2.8 million in this year’s budget to guide its work on the Consumer Data Right, the agency has not received any additional funding to help it adequately complete its vast workload.
This led former Victorian privacy commissioner David Watts to say the OAIC is “stretched beyond breaking points”, and for many senators to raise concerns that the office is “very overworked”.