Australia’s health sector reports most data breaches again

A total of 242 serious data breaches were disclosed to the Office of the Australian Information Commissioner (OAIC) during the second quarter of 2018 – the first full quarter since the national mandatory disclosure scheme came into effect.

During the whole of 2017, when disclosure was voluntary, only 114 breaches were reported.

As in the first-quarter report – which included data for only part of the quarter as the scheme began on 22 February 2018 – the health sector reported most breaches, followed by the finance sector.

The OAIC was at pains to point out that the health sector breaches were not related to the government’s MyHealth record system, which has come under fire for its lack of privacy safeguards, as well as allowing health records to be accessed by various government agencies, including the Australian Taxation Office.

But the OAIC report is likely to fan the flames of the current debate about the national health record scheme. Although there is an opt-out window for citizens until October 2018, calls have been growing for a total rethink of the MyHealth record scheme.

Ashley Watkins, country director for Trend Micro in Australia and New Zealand, said health data is a magnet for cyber attackers because the volume of personally identifiable information typically held in a health record makes it up to 10 times more valuable than credit card data when sold on the black market.

“Criminals can use it for identity fraud, to illicitly purchase pharmaceutical drugs, and to make fake insurance claims,” he said.

But Watkins added: “People shouldn’t necessarily hold back from providing their health data, as the quantity and quality of healthcare data available is increasingly being used in positive ways to uncover new insights and to advance medicine faster.

“In saying that, cyber attacks and data breaches are inevitable across all industries, so there should always be a level of concern when it comes to the security of data.”

Angelene Falk, acting Australian information commissioner and privacy commissioner, said the mandatory notification regime is already helping to increase transparency and accountability, delivering important insights for organisations about how to protect themselves better.

She said notifications during the second quarter show that one of the key aims of the scheme – ensuring individuals are made aware when the security of their personal data is compromised – is being met, allowing citizens to take what steps they feel are necessary to protect themselves from any harm.

Most reported data breaches were the result of malicious or criminal attacks (59%), followed by human error (36%) and system faults (5%). Most incidents were linked to compromise of credentials such as user names and passports.

Mark Perry, chief technology officer at Ping Identity in Asia-Pacific, said: “With over 75% of cyber breaches in the report due to compromised credentials, it is clear that organisations that don’t use multi-factor authentication for all their consumers, employees and system administrators are missing out on a relatively simple method of minimising the risk of breaches.”

Phil Kernick, co-founder and chief technology officer of security consultancy CQR, said he is not surprised at the number of enterprises reporting breaches.

“For some reason, IT security messages are not yet ingrained in the mindset of each and every employee within an organisation and it remains to be seen if Australian businesses have actually worked out how much risk they are willing to stomach,” he said.  

“Indeed, the jury is out on just how aware the average medium-sized business is of the current risk landscape. For example, are Australian directors really aware of the implications that the growing use of cloud platforms have when it comes to an organisation’s risk?”

Kernick said the notifiable data breach regulation provides an opportunity to not only reshape how data is managed across organisations, but also educates staff on the potential implications of a data breach.

“Many businesses collect data just because they have always collected data and have never stopped to ask why,” he added. “Organisations should internalise the cost of a data breach so that the option of doing nothing becomes an expensive one to take in 2018 and beyond.”