The healthcare industry has again reported the most data breaches to the privacy regulator in the first half of 2022, continuing a trend since Australia’s reporting scheme began in 2018.
Key points:
- Health services reported 79 data breaches from January to June 2022
- Overall, 396 data breaches were reported to the privacy regulator
- The notifiable data breach scheme has been in place since 2018, but critics want greater enforcement
The focus of heightened scrutiny following the Medibank hack, which exposed highly sensitive information about Australians, health service providers informed the privacy commissioner of 79 data breaches, followed by finance (52) and education (35) between January and June 2022.
Under the Notifiable Data Breach (NDB) scheme, organisations must report a breach to the Office of the Australian Information Commissioner (OAIC) if the data revealed includes personal information that is likely to result in serious harm, such as date of birth or address.
Harms might include identity theft, the exposure of location details in a family violence situation, or a threat to someone’s reputation.
Overall, 396 breaches were reported according to the OAIC’s latest summary — 14 per cent fewer than the 460 notifications in July to December 2021.
However, there were more data breaches involving a large number of Australians in the first half of 2022: four affected 100,000 or more, compared with just one in the previous half-year.
“The number of larger scale breaches caused by cyber security incidents reiterates the importance of entities having measures in place to protect, detect and respond to the range of cyber threats in the environment,” Privacy Commissioner Angelene Falk said in a statement.
Most data breaches were caused by what the OAIC calls “malicious or criminal attacks” — 31 per cent from ransomware, followed by phishing, when someone sends an email or text designed to trick the recipient into sharing passwords or other details.
Health may suffer more data breaches because it’s more of a “cottage industry” than, for instance, financial services, according to Peter Leonard, principal at Data Synergies.
“You think about all of the personal information about your aunt who is in a nursing home, that that nursing home has to handle to look after her wellbeing,” he said.
A data breach could include health information in an email sent to the wrong person, or even lost paperwork.
Likewise, the potential threat surface in health care is significant: “There is a lot of sharing of data between individuals delivering health services, the GP, the chiropractor, the pharmacy,” Mr Leonard said.
“By definition, the more … humans involved in handling information, the more likely something is going to go wrong.”
Calls for better privacy protections continue
Following a spate of high-profile data breaches in 2022, there has been increased attention on whether Australian organisations are being properly regulated when it comes to privacy and data management.
Bruce Baer Arnold from the University of Canberra law school said the NDB scheme had been “fairly disappointing” when it came to deterring data breaches.
“Yes, we’ve got reporting,” he said.
“We don’t have much action.
“We have a watchdog that is reluctant to get out of its kennel. It doesn’t bark and it doesn’t bite.”
According to the OAIC report, some businesses dragged their heels on reporting at all: 71 per cent notified the agency within 30 days of becoming aware of a breach, but four took more than 12 months.
Organisations are meant to report and notify affected individuals “as soon as practicable”.
Mr Leonard sees the NDB scheme as more of a success, but suggests the agency’s lack of resources due to underfunding is a continued challenge.
“If you look at the trend numbers in the Notifiable Data Breach scheme and relate that to funding of the OAIC, it’s abundantly clear that the funding is inadequate,” he said.
The consequences for a company that is not doing enough to protect customer data also remain relatively trivial, according to Dr Baer Arnold.
The government is proposing to raise the potential penalty for a serious privacy breach to $50 million, but he would like to see Australia mirror the US regime, where the Federal Trade Commission is now assigning personal responsibility to executives.
“This is the sort of thing that is likely to have some consequences, and we should be bringing it to Australia,” he said.
The government is currently completing a review of Australian privacy law, which will also consider the impact and effectiveness of the NDB scheme.
Overall, Mr Leonard says, data breaches are likely to continue until we deal with the amount of data Australian companies collect, store and “overshare” — and enforce better processes for deleting it.
“Until they get all of those things right, we’ll see the number of data breaches increase regardless of whether the regulator is active or not.”