Private health tops data breaches

| August 2, 2018

The Office of the Australian Information Commissioner (OAIC) received 242 notifications under the Notifiable Data Breaches (NDB) scheme in the period 1 April to 30 June 2018, according to the second quarterly statistical report on data breach notifications received under the scheme. This is the first full quarter of operation of the NDB scheme since it commenced on 22 February 2018.

The growing number of notifications under the scheme demonstrates an awareness by entities of their obligations to notify the OAIC and affected individuals where a breach of personal information is likely to result in serious harm. The report provides statistical information on breaches occurring in Australia and the reasons why they happen. Understanding causes will help everyone to take steps to prevent reoccurrence.

Since the scheme commenced on 22 February 2018, the OAIC has received 305 notifications in total.

The OAIC’s acting Australian Information Commissioner and acting Privacy Commissioner, Angelene Falk, said ‘Notifications this quarter show that one of the key aims of the scheme – ensuring individuals are made aware when the security of their personal data is compromised – is being met.

Data breach notification to individuals by the entities experiencing the data breach can equip individuals with the information they need to take steps to reduce their risk of experiencing harm, which can reduce the overall impact of a breach.

‘Notification to the OAIC also increases transparency and accountability. The report provides important information on the causes of data breaches so all entities can learn lessons and put in place prevention strategies.

‘The OAIC continues to work with entities to ensure compliance with the scheme, offer advice and guidance in response to notifications, and consider appropriate regulatory action in cases of non-compliance.’

The report shows that the main causes of data breaches are malicious or criminal attacks (142 notifications or 59 per cent), followed by human error (88 notifications or 36 per cent). The majority of malicious or criminal breaches reported were the result of compromised credentials, and the most common human error was sending emails containing personal information to the wrong recipient.

The risks of these types of data breaches can be greatly reduced by ensuring that staff responsible for handling personal information receive regular training.

Entities should also implement strong password protection strategies, including raising staff awareness about the importance of protecting their credentials. The OAIC has worked with the Australian Cyber Security Centre (ACSC), the Australian Government’s lead agency on national cyber security, on the causes of cyber security related breaches. The ACSC has provided a guide to mitigation strategies aimed at protecting credentials.

This quarter also saw reports of breaches that involved multiple entities. Under the NDB scheme, all entities involved have an obligation to notify the OAIC and affected individuals where an eligible data breach occurs, but arrangements can be put in place for one entity to discharge this obligation on behalf of others. Best practice is for entities to proactively establish clear procedures about how data breaches are to be handled and reported when third party providers are used.

A total of 242 notifications were made under the NDB scheme in the quarter. In the January to March 2018 quarter, 63 notifications were received. This was a partial reporting period due to the scheme commencing on 22 February 2018.

Of the 242 notifications in this quarter, the primary source of breaches was malicious or criminal attacks (142 notifications or 59 per cent), followed by human error (88 notifications or 36 per cent) and system faults (12 notifications or 5 per cent).

The report shows that the majority of malicious or criminal breaches reported were cyber incidents, linked to the compromise of credentials (user names and passwords).

The most common human errors were an email containing personal information sent to the wrong recipient (22 notifications), the unintended release or publication of personal information (12 notifications) and personal information sent by mail to the wrong mail recipient (10 notifications).

Most data breaches involved the personal information of 100 or fewer individuals (148 notifications or 61 per cent of breaches). Thirty-eight per cent (or 93 reported breaches) impacted ten or fewer people.

The private health sector is the top sector for reporting data breaches under the Australian NDB scheme with 49 notifications in the quarter.  It should be remembered that these notifications do not relate to the My Health Records system.  The finance sector had the second highest figure, with 36 notifications.