Health Sector Tops Data Breach Notifications This Quarter.
In February 2018, changes were made to the Privacy Act 1988 that now require entities (who meet certain reporting requirements) to inform the Office of the Australian Information Commissioner (OAIC) when a data breach has occurred. The scheme requires entities to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm. The latest statistics from the OAIC have been released, for April to July:
242 Data Breach Notifications were made in the quarter
36% were the result of human error and 59% were malicious or criminal attacks. Theft of paperwork or storage devices is the primary source of a malicious attack. Human error remains a concern, with malicious attacks highlighting vulnerabilities in data security systems such as clicking on a phishing email or disclosing passwords.
Most breaches involved the personal information of 100 people or less (61%)
Breach of an individual’s health information occurred in 25% of breaches.
Health Sector: highest number of breaches in the quarter
The health industry had the highest number of breaches this quarter with 49 in total. Of the breaches to have been reported across the health sector, 59% were due to human error – ranging from mistakes such as:
lost paperwork/insecure disposal of personal information
sending information to the wrong person
not using blind carbon copy (BCC) email function; and
the unauthorised disclosure of information.
Regarding malicious attacks – the health sector was most impacted by the theft of paperwork or storage devices.
Four Lessons We Can Take From These Findings:
Staff education remains paramount. Do not click on emails you do not recognise as being from a legitimate source, or you think might be suspect. Call rather than reply via email.
Do not disclose passwords to ANYONE – including people inside the organisation that don’t need access. Update passwords on a frequent basis for highly sensitive information.
Carrying personal information on portable storage devices such as a USB stick is always risky and is strongly advised against.
Failure to use BCC when sending group emails accounted for a high number of data breaches reported this quarter. The use of the BCC function should be well communicated to staff. It only takes a split second to send an email to the wrong person, and once it’s sent you can’t get it back. Always avoid sending group emails that contain sensitive information. Using an email platform is advised for sending newsletters and similar communications (as they don’t disclose individual email addresses). Ensure all emails you send have a disclaimer attached.
Many data breach incidents could either be avoided completely or at least minimised. By learning lessons from where data breaches are occurring. This can help fill the potential gaps in your own practice. You can access the full OAIC report here. Or to read more on the Privacy Act changes you can read the government’s official website.
More Information About Data Breach
You Legal’s notifiable data breach laws brochure is a quick, easy-to-read reference guide that tells you how to respond when your organisation suffers a data breach. It will ensure that you're meeting your obligations as an APP entity.
What should I do now?
Privacy and data protection are topics that cannot be ignored as the Government continues to ramp up its focus. If you want to discuss your current privacy and data security procedures, you can contact us here.