The Office of the Australian Information Commissioner (OAIC) has been producing quarterly statistics of data breach reports since the Mandatory Data Breach Reporting regime came into force in the Privacy Act 1988 (Cth) (Privacy Act) on 22 February 2018. The latest report published on 30 October 2018 shows the continuation of a worrying trend for the Private Health Sector.
The OAIC statistics offer some valuable insights, including the causes of data breaches, with malicious/criminal attacks and human error consistently topping the list. However, one of the strongest trends is that the Private Health Sector has reported the highest number of data breaches in EVERY quarter this year.
What is a Reportable Data Breach?
For those that aren’t aware, a reportable data breach:
Harm can include theft, financial harm, identity theft, and potentially physical harm.
- is any unauthorised access, destruction, use, or misuse of personal information, being any information about an identifiable individual; and which
- which creates a real risk of harm to the individual.
What is the Private Health Sector?
The OAIC Private Health Sector statistics do not include public hospital and similar government-run health operations. The OAIC defines the Private Health Sector to be non-public health service providers, entities that assesses or records information about your health, maintains or improves your health, or provide prescription drugs or medicine. This can include:
- Doctors such as GPs and specialists;
- Pharmacists;
- Dentists and orthodontists;
- Counsellors and psychologists;
- Chiropractors, physiotherapists and masseurs; and even
- Naturopaths, gyms, child care centres and weight loss clinics.
The Numbers
So far in 2018:
- almost 20% of all reported data breaches have been from the Private Health Sector, the highest of all industry sectors;
- between 45,000 and 200,000 individuals are estimated to have been affected by a Health Sector data breach; and
- human error is the leading cause of data breaches.
These number are cause for concern if you operate in the Health Care Sector.
Why are there so many Health Sector Data Breaches?
It is possible that the high rate of data breach reporting relates to the number of small and micro health service providers that must comply with the Privacy Act. In other market sectors, many businesses are not bound by the Privacy Act if their turnover is less than $3 million.
Health service providers are automatically bound by the Privacy Act, regardless of turnover. This means smaller entities, neighbourhood practices, with fewer resources to spend on IT and data security, have the same obligations as large national businesses. The prevalence of human error may indicate that these smaller operations also don’t have the capacity to train their staff adequately in privacy and data protection.
Online commentary also suggests that stolen health information is extremely valuable on the black market. This may make the Health Sector a rich target to online criminals, particularly those entities without the resources to protect against hacking.
What can you do?
The best advice we can give you is be aware and be prepared.
Make sure that you are aware of your obligations under the Privacy Act, if you are a health service provider the Privacy Act applies to you. If you are in the ACT, NSW, or Victoria, other health record privacy legislation may apply in addition to the Privacy Act, for example, the Health Records (Privacy and Access) Act 1997 (ACT).
Make sure you have prepared your systems and staff as much as possible to protect against a data breach. But also, make sure you are prepared if (when) a data breach occurs. There are mandatory requirements to notify OAIC and the affected individuals of reportable data breaches. Fines for non-compliance under the Privacy Act range up to $2.1 million.
The Tech & Media team at Griffin Legal can assist you:
- in understanding your privacy obligations;
- training your staff; and
- preparing a Data Breach Response Plan to ensure you can quickly and easily comply with your mandatory data breach reporting requirements.
If you require further assistance Contact us today.