The healthcare sector has topped the list for data breaches once again, with the Office of the Australian Information Commissioner releasing its delayed quarterly report into the Notifiable Data Breaches scheme, with most caused by malicious conduct and human error.

According to the report released today, 49 notifications of data breaches in healthcare were made from April to 30 June 2018, surpassing the finance sector’s 36 notifications. A total of 242 notifications were received during the quarter.

Included within the healthcare component were breaches reported by online booking app HealthEngine, which connects to the Federal Government’s My Health Record, and Family Planning NSW.

The report shows 59 per cent of data breaches were caused by malicious or criminal attacks (142 notifications), with the majority of those linked to the compromise of credentials such as usernames and passwords.

Thirty-six per cent of breaches were the result of human error such as sending emails containing personal information to the wrong recipients.

System faults caused 12 notifications.

One breach affected over 1 million Australians, 52 notifications involved the personal information of 100 to 1000 people, 61 per cent of the data breaches related to the details of 100 or fewer individuals, while 38 per cent affected up to ten people.

The report only covers private healthcare providers, with public hospitals and health services not included.

The NDB came into effect on February 22 and requires organisations to notify the OAIC and affected individuals when a breach of personal information has occurred that is likely to result in serious harm.

“Notifications this quarter show that one of the key aims of the scheme – ensuring individuals are made aware when the security of their personal data is compromised – is being met,” the OAIC’s acting Australian Information Commissioner and Privacy Commissioner Angelene Falk said.

“Data breach notification to individuals by the entities experiencing the data breach can equip individuals with the information they need to take steps to reduce their risk of experiencing harm, which can reduce the overall impact of a breach.”

[Read more: Privacy Commissioner poised to release delayed data breach report but My Health Record adopts a different definition | Healthcare suffers almost a quarter of data breaches, as reports skyrocket under mandatory notification scheme]

The OAIC, which was due to drop the report more than two weeks ago, said the data breaches do not relate to the My Health Record system.

But the healthcare sector stats are another setback to the national health information database as it continues to be buffeted by data privacy concerns.

Up to 900,000 health professionals will have access to My Health Record via numerous software systems, creating a substantial “attack surface”, according to former Privacy Commissioner Malcolm Crompton.

“There’s lots of talk about the centralised part of MHR security but what is the evidence that ALL 900,000 health practitioners have even reasonable security on their digital devices let alone the high grade that is claimed for the centralised part,” Crompton, who is also the founder and lead privacy advisor at Information Integrity Solutions, said.

“Remember, Target in the US was penetrated (and $250 million damage caused) because the outsourced service provider of HVAC (heating, ventilation and air conditioning) was hacked.”

Currently, about 6 million people have a My Health Record and the rest will have one created for them by the government by the end of the year unless they opt out by October 15.

Speaking today at a media conference in the Tasmanian seat of Braddon, which Labor won in Saturday’s by-election, Opposition leader Bill Shorten said the government’s management of the My Health Record roll-out had grown as an issue of community concern during the campaign.

“It wasn’t the biggest issue in the election but it’s one which certainly as every day went on, more concern was expressed to me and our Labor candidates,” Shorten said.

“The government has got to protect the privacy of Australians. I support digitising health records, the principle of it, but this government is really bungling it.

“The government has got to respect the privacy concerns. It is very powerful information … people don’t want it accessed.”

Prime Minister Malcolm Turnbull, Health Minister Greg Hunt, and the Australian Digital Health Agency’s CEO Tim Kelsey have all said in the last three weeks that My Health Record has never suffered a security breach and has defence-tested cyber security. But Shorten said concerns remained.

“We’re not going to make this a political football, people’s private health records, but nor should the government and the government’s got to stop treating, the Liberal Government, treating Australians as mugs, by pretending there is not a problem here about how you properly protect people from having their information hacked.”

[Read more: Family Planning NSW ransomware attack sees personal information of 8000 people at risk | HealthEngine saga continues with a data breach notification, continued denials of wrongdoing and a changing business model]

Cybersecurity experts have claimed the OAIC’s latest report should send a warning to organisations, especially given the risk.

“Today, all employees in most companies are handling customer data, all industries have a web presence, and a breach can have a catastrophic effect on shareholder confidence and board credibility,” Scott Robertson, Vice President Asia Pacific and Japan at Zscaler, said.

“As this report suggests, security hygiene should not be reserved for those in healthcare or financial services. The days of ‘we’re not a target of cyber criminals because we only sell x’ are long gone. Criminals vary from the state-sponsored looking for targeted intel through to the opportunistic seeking to make a few dollars.  

“At the same time, the internet has become ‘the’ network and securing access to it, cloud apps and data must be the new strategic focus. Business leaders need to change the dialogue from ‘Are we secure?’ to ‘Do we understand the risks of operating in this environment and have we mitigated those risks sufficiently?’”

ANZ Regional Director of WatchGuard Technologies Mark Sinclair described the breach report as “yet another wake-up call” for Australian organisations and said they need to be proactive when it comes to cybersecurity resilience and look within.

“The perception still exists among way too many companies that the biggest threat to an organisation is external, however, it’s almost always internal inadvertent causes that are related to an external targets attack, that pose the greatest problems,” Sinclair said. 

“A user visits a compromised website and downloads a ‘codec’ to watch a video. A user opens a suspicious attachment. A user mistypes an email address and send the payroll data or credit card details to the wrong person. Without an ineffective and properly configured security solution in place these attacks will always take place.”

Jacqui Nelson, Managing Director of Dekko Secure, which has recently conducted security audits in healthcare and public sector agencies, said irrespective of technology and company process no organisation had been able to protect itself from the human factor.  

“Too often, a desire to just get the job done in the fastest and most efficient way means that we mere humans fall prey to simple errors like accidental misaddressing, using email to share files and an inability to verify a person’s identity are the fundamental causes of systematic failure in today’s online environment,” Nelson said.

“This latest quarterly mandatory data breach report suggests that security still isn't getting the attention it commands inside organisations.”

To share tips, news or announcements, contact the HITNA editor on




White papers