First we had the news that the private health sector were the data beach front-runners.
“Yet another wake-up call”: Privacy Commissioner releases new data breach report, with health sector top of the list
Lynne Minion | 31 Jul 2018
The healthcare sector has topped the list for data breaches once again, with the Office of the Australian Information Commissioner releasing its delayed quarterly report into the Notifiable Data Breaches scheme, with most caused by malicious conduct and human error.
According to the report released today, 49 notifications of data breaches in healthcare were made from April to 30 June 2018, surpassing the finance sector’s 36 notifications. A total of 242 notifications were received during the quarter.
Included within the healthcare component were breaches reported by online booking app HealthEngine, which connects to the Federal Government’s My Health Record, and Family Planning NSW.
The report shows 59 per cent of data breaches were caused by malicious or criminal attacks (142 notifications), with the majority of those linked to the compromise of credentials such as usernames and passwords.
Thirty-six per cent of breaches were the result of human error such as sending emails containing personal information to the wrong recipients.
System faults caused 12 notifications.
One breach affected over 1 million Australians, 52 notifications involved the personal information of 100 to 1000 people, 61 per cent of the data breaches related to the details of 100 or fewer individuals, while 38 per cent affected up to ten people.
The report only covers private healthcare providers, with public hospitals and health services not included.
Lots more here:
In the second of three we had a very messy paper breach.
NSW Government criticised after hundreds of medical files found abandoned in derelict aged care building
3 August, 2018
Privacy advocates are demanding the New South Wales Government explain how hundreds of medical files were left abandoned in a derelict building south of Sydney.
Key points:
- New South Wales Health says it is investigating the matter
- It says the site was accessed illegally
- ABC sources maintain the building was not secured
The privacy breach, uncovered in a triple j Hack and ABC News investigation, is believed to be one of the largest of its kind in Australian history.
The documents date from 1992 to 2002 and were found at the former Garrawarra Centre for Aged Care in Helensburgh.
New South Wales Health said it was investigating the matter and that the site was surrounded by signs warning of asbestos and was illegally trespassed.
ABC sources maintain the building was not secured and was being accessed by members of the public.
The Australian Privacy Foundation's health committee chair, Dr Bernard Robertson-Dunn, said an appropriate explanation was needed.
More here:
Lastly SA Health chimed in with a fun – and long lasting – breach.
Thousands of SA children's medical test results online for 13 years: SA Health
4th August, 2018.
SA Health has revealed that thousands of children's medical test results have been publicly available online for the past 13 years.
The data with the names, date of birth and test results for about 7,200 pathology tests was embedded in a document on the Women's and Children's Hospital website from 2005.
It was removed in 2006, but two other document-storing websites kept it available until Thursday, when the department's IT security teams asked them to remove the data.
Cached versions of those documents were online until yesterday.
The test results related to patients who were treated at the hospital for respiratory infection, gastro or whooping cough between 1996 and 2005, Women's and Children's executive director of corporate services Phil Robinson said.
More here:
And for clarity we had this from the ADHA:
Statement on notifiable data breaches
Thursday, August 2, 2018 - 15:15
In the operation of the My Health Record, the Australian Digital Health Agency (the Agency) has reconfirmed there has not been a security or privacy breach, meaning that there has been no unauthorised viewing of any individual’s health information.
There are now close to six million people who have chosen to have a My Health Record.
The system has been operating for six years.
To ensure transparency, the Agency must report notifiable data breaches to the Information Commissioner and will continue to do so.
Last year, six cases were reported – these occurred due to either alleged fraudulent Medicare claims or administrative processing errors.
It was these items which were previously published by the Information Commissioner.
However, these is no evidence that any of these cases led to unauthorised viewing of any individual’s health information.
In the context of the My Health Record system, a notifiable data breach must be reported when data may have been accessed or viewed by someone who does not have appropriate authorisation. Errors of this type have occurred due to either alleged fraudulent Medicare claims or administrative processing errors.
A security breach occurs where the system or data is accessed by bypassing the security controls in place, for example if a person were to break the authentication controls and gain access to a record for which they don’t have authorisation.
This has never occurred for the My Health Record system and there have been no security breaches detected in six years of operation.
Here is the link:
What can we make of all this?
1. Humans are humans and by accident or design data breaches are inevitable – it is not if, but when, in the case of any system that holds any significant amount of personal data.2. Paper breaches are messy but electronic breaches can leak much more data more quickly and typically do much more damage.
3. With recent evidence from here, Singapore and elsewhere (the US health system in particular) to be kidding ourselves the myHR is immune is simply placing our bum up and our head firmly in the sand.
4. The ADHA has not quite grasped that a breach, is a breach, is a breach and is playing silly semantic games.
5. When you have a lot of private systems handling health information there will be variation in the quality of the terminal security and at least some of those may be accessing the myHR with obvious implications. The ADHA does not talk much about this risk but it is there big time - as is human abuse of myHR data access by 'rogue' professionals.
Can’t we all get real, accept that breaches are inevitable, work to prevent and mitigate them and decide on a reasonable considered basis whether to opt-out / cancel our myHR record depending on our own risk profile and how much happier we would be with a myHR vs. a health summary in our wallet.
David.
EmoticonEmoticon