Australia's Biggest Breach Offender: Healthcare SectorData Breach Figures Arrive on the Heels of E-Health Records Project Controversy
With Australia's data breach reporting law now in full effect, figures published for the second quarter of this year reveal that the country's healthcare sector is the worst breach offender. The finding is sure to intensify the already intense scrutiny facing the country's controversial e-health records project.
The country's data breach regulator, the Office of the Australian Information Commissioner, released the data breach statistics that it collected, covering breach reports that it received from April through June. It is the first full reporting period since Australia's mandatory breach notification law came into effect on Feb. 22.
The OAIC says it received 49 notifications from healthcare providers. Of those, 41 incidents involved fewer than 1,000 people; five incidents involved between 1,001 and 5,000 people; two involved between 5,001 and 10,000 people; and one incident involved between 10,001 and 25,000 people.
The financial industry had the second greatest number of notifications at 36, followed by the legal, accounting and management services sector at 20, the education sector at 19 and business and professional associations at 15.
The OAIC does not identify the organizations that reported a breach. Organizations that are required to report a breach within 30 days to the regulator include most government agencies plus businesses and nonprofits with an annual turnover (revenue) of AU$3 million (US$2.2 million) or more. The requirement also applies to credit agencies, private health service providers and entities that record tax file numbers, or TFNs.
Biggest Problem: Human Error
Some 59 percent of the healthcare breaches were attributable to human error, the OAIC says, while the remaining 41 percent were due to malicious or criminal attacks.
Human error is a catch-all term for a range of mistakes, such as failing to use bcc - blind courtesy copy - emails and instead exposing the email recipient list to all. Other common errors: sending data by email to the wrong person, losing or improperly disposing of storage devices and unintentionally exposing sensitive information.
Of the 20 incidents that resulting from criminal or malicious activity, nine were due to theft of paper or of a data storage device, three were due to rogue or malicious employees and eight were classified as "cyber incidents."
The cyber incidents included two cases of malware, two cases involving compromised or stolen credentials, two cases of phishing attacks that captured credentials, plus one ransomware attack and one brute-force attack.
Although the healthcare sector has the most reported breaches, the figures exclude incidents involving the My Health Record system.
Parliament passed the My Health Records Act in 2012. The law authorizes the creation of digital health records for patients that can be used by providers. The government contends that patient outcomes can be improved with better information sharing via My Health Record.
Security incidents involving My Health Record, however, fall under specific notification requirements in the law and not the mandatory breach notification scheme.
In its early days, the My Health Record program saw slow uptake among clinicians and the general public, which had to opt-in to the program. So the government changed its strategy, making it an opt-out program.
That change rankled privacy activists and raised security concerns in an era of seemingly nonstop data breaches. As many as 13,000 healthcare providers will have access to the database.
But on Tuesday, the government announced some changes in light of the ongoing criticism of the project and its implementation. Health Minister Greg Hunt announced plans to tweak the law so that no government agency would be able to access a record without a court order. That move would resolve ongoing ambiguity and concern over who exactly can access any individual's health information.
Also, Hunt says the government would allow people to permanently delete their record from the system at any time. Under the original plan, those who had activated their record could cancel it, but data would be retained for 30 years after a person's death or 130 years after someone's birth.
Weak Point: The Humans
The OAIC's breach report highlights where security improvements need to be made.
Of the 242 total notifications received in the second quarter, 59 percent were due to malicious or criminal attacks, followed by human error at 36 percent and system faults accounting for 5 percent.
Of the malicious or criminal attacks, the OAIC says "many cyber incidents in this quarter appear to have exploited vulnerabilities involving a human factor (such as clicking on a phishing email or disclosing passwords)."
The vast majority of breached information - some 216 of 242 notifications - involved contact details. The next highest category of breached information involved financial details (102 notifications), identity information (94 notifications), health information (61 notifications), tax file numbers (47 notifications) and "other sensitive information" (20 notifications).