Private Health Still Australia’s Most Breached Sector

Private health still continues to retain its position as Australia’s most breached sector as phishing attacks register an increasing trend, as per the latest reports.

The Office of the Australian Information Commissioner (OAIC) has come out with its Notifiable Data Breaches Quarterly Statistics Report for the third quarter of 2018 and it’s this report that makes these observations. The report finds that 20 percent of all NDBs (Notifiable Data Breaches) that happened between July and September were caused by phishing attacks.

245 data breach notifications were reported to the OAIC, of which the majority (57%) were caused by malicious or criminal attacks. A media release published by OAIC states, “The Office of the Australian Information Commissioner has been notified of 245 data breaches affecting personal information between July and September 2018, its latest report shows…The quarterly statistics report on the Notifiable Data Breaches (NDB) scheme indicates 57 percent of incidents were caused by malicious or criminal attack, and 37 percent resulted from human error.” 6 percent of attacks were due to system faults, as per the report.

The figures for the previous quarter are as follows- overall 242 breaches reported, of which 59% were attributed to malicious or criminal attacks, 36% to human error and 5% to system faults.

Coming back to the third quarter, 63% of the data breaches reported involved the personal information of 100 or fewer individuals. (The figure for the previous quarter was 61%).

The report also gives a sector-wise break-up, for the top five industry sectors. While private health service providers reported 45 breaches, the finance sector ranked second with 35. Legal, accounting and management services had 34 breaches while Private education providers reported 16 and personal services sector ranked fifth with 13.

The most common band of people impacted by breaches was between 100 and 1,000 people, with 65 breaches reported. This was followed by 58 breaches impacting a single individual, and 53 hitting between 11 and 100 people.

The quarterly report also discusses the kinds of personal information involved in breaches. Of these, contact information was the most commonly breached, with 208 instances (85%). The figures for other kinds of information were- financial details- 110 instances (45%), identity information- 85 instances (35%), TFN (Tax File Number)- 55 instances (22%), health information- 54 instances (22%), and other sensitive information- 18 instances (7%).

Coming back to the health sector, the majority of breaches reported from this sector were due to human error. It was malicious attacks which made up for the rest, while one breach happened because of system error.

ZDNet reports, “The majority of the health breaches were due to human error, and the rest made up by malicious attacks, with the exception of one breach due to system error…A total of four breaches each were due to loss of paperwork or a storage device, sending personal information to the wrong recipient as email, sending personal information to the wrong recipient via mail, and unauthorised disclosure due to unintended release or publication of information, as well as four breaches due to phishing attacks…A single breach each was reported by the private health sector as being due to malware, ransomware, and hacking by other means.”

The report further says, “The report only covers private health service providers under the NDB, the OAIC said, with public hospitals and health services covered by the My Health Records Act and hence not included in the report.”

The OAIC media release says, “Australian Information Commissioner and Privacy Commissioner Angelene Falk said training staff on how to identify and prevent privacy risks needs to be part of business as usual.”

The release quotes Ms. Falk as saying, “Everyone who handles personal information in their work needs to understand how data breaches can occur so we can work together to prevent them… Organisations and agencies need the right cyber security in place, but they also need to make sure work policies and processes support staff to protect personal information every day.”