Australia’s health service providers suffered more data breaches than any other sector between April 1 and June 30, 2018, according to the Office of the Australian Information Commissioner (OAIC).
Out of a total of 242 breach notifications, 49 were reported by the health sector — mostly due to human error.
The results mirror the OAIC’s January to March 2018 report, in which health service providers also reported the most breaches, ahead of the finance and legal sectors.
And while the report does not include My Health Record breach notifications, one expert says it does highlight the ongoing risk posed to privacy by “human error” in the health industry.
The Government’s new data breach notification scheme began on February 22, requiring companies and government agencies to disclose breaches, if the data breach involved personal information and a high risk of serious harm to the person involved.
“In terms of the two top sectors that have reported, health and financial institutions, we also see that they’re the organisations that have some of the biggest data holdings across the economy,” acting Australian Information Commissioner Angelene Falk said.
“One way in which the health sector can ensure that trust is to be transparent and accountable when breaches occur, but also to take steps to mitigate against those breaches.”
The fault of human error
The OAIC reported that the majority of health sector data breaches were down to human error — in particular, sending personal details to the wrong email address or the wrong mail address, as well as the loss of paperwork or storage devices.
The second most common health breach was due to malicious attack — a figure that reflects growing concern about the targeting of health information by hackers.
Dr Bruce Baer Arnold, an expert in health law at the University of Canberra, was not surprised by the health sector statistics.
But this could be due in part, he suggested, to conscientiousness around reporting the loss of medical data.
“People have an awareness that health privacy is significant,” Dr Baer Arnold explained, adding that it can’t simply be changed like a credit card number.
Health service providers as defined by the scheme can include entities such as private hospitals, day surgeries or pharmacies, but not public hospitals — these are generally governed by state privacy laws.
My Health Record concerns
The OAIC’s quarterly report does not include breach notifications made under the My Health Records Act.
But the report’s release comes amid debate over the security of the My Health Record project.
The Government has promised the online database of health information is secure, but privacy advocates are concerned the system’s design makes unauthorised access of health information likelier.
A spokesperson from the Australian Digital Health Agency, which runs the My Health Record system, said there had been no cyber breach to date.
However, the OAIC’s annual digital health report published in September last year showed 11 people were affected by unauthorised access of My Health Records by a third party in 2016-17.
Dr Baer Arnold said the rate of human error in the health sector did raise questions about My Health Record and the potential for sensitive information to be lost.
“We’re constantly being reassured it’s safe as houses, but there are real concerns in the IT community as well as in the legal and the health community, about the human element,” Dr Baer Arnold said.
“Trust is the basis of good public health, so anything that erodes that trust is bad.”
Acting Information Commissioner Falk said breaches are an issue that everyone has a role in guarding against.
“Whether it’s the My Health Record system or any online system, what this report points to is an obligation on all entities to ensure they’ve got the right security in place,” she said.
More breaches are being reported
Overall, the number of reported data breaches has jumped since Australia’s notification scheme came into effect in late February.
The OAIC received 114 voluntary data breach notifications in the 2016–17 financial year, compared to 242 under the new scheme in the last quarter of 2017-18 alone.
Under the scheme, companies must tell the OAIC and those affected by a data breach as soon as practicable, once they have determined the facts, whether the breach can be contained and whether there is a likely risk of serious harm to individuals.
In the OAIC’s most recent quarterly report, 89 per cent of all breaches involved people’s contact information such as home or email address, along with phone number.
Thirty-nine per cent involved identity information, including passport or drivers’ license numbers, and 25 per cent exposed health information.
Most breaches overall were due to malicious or criminal attack, which could include the use of phishing techniques, malware and stolen login credentials, or even the theft of storage devices.
The OAIC is also publishing advice to organisations to help them guard against losing vital data.