Top 10: Healthcare Data Breaches Australia
Cyber security and data breaches are a leading, trending topic in this brave new digital world we live and work in.
But in healthcare their damage can be catastrophic and far more personal.
Data breaches are to be reported to the Office of the Australian Information Commissioner under this exact wording:
“Agencies and organisations regulated under the Australian Privacy Act 1988 (Privacy Act) are required to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to result in serious harm to individuals whose personal information is involved in the breach.”
But on your daily skim of the news, have you heard of any relating to healthcare?
Here are ten data breaches or failures in cyber security across healthcare you will want to know about:
South Australia Health (SA Health)
From 1996 to 2005, 7200 pathology tests relating to childhood infections were processed at Adelaide’s Women’s and Children’s Hospital. An academic used this data in a presentation which was subsequently posted online, displayed in a graph format. Somehow, the source date including names, date of birth and test results were revealed at just the click of a button on the graph image. With a 300 recorded views online, there is no way of knowing how many people clicked through to the identifying data, but the fact it took 13 years to discover, and by a concerned member of a the public, is mind-blowing.
Red Cross Blood Service
At the time of this security breach it was described as Australia’s largest to-date. Between 2010 and 2016, 550,000 blood donors had filled out an online application form that included name, gender, address, date of birth and “personal details”. Little did they know that the file containing such a trove on information was moved to an unsecure computer or device by a contractor and then accessed without authority. The most concerning aspect to the donors was arguably the question on the form that detailed “at risk behaviour” that may influence the desire to use their blood.
Although no direct or personal health records or information were accessed in this breach, it was serious enough that the Australian Federal Police dove deep on an investigation. The specific information hijacked were the Medicare Card Numbers of members of the public, potentially allowing future fraud to occur. Worse still one individual affected was able to buy his own details online for $20 on the “Dark Web”, anonymous websites accessed through browsers like “Tor”. It revealed the seller had already managed to profit from 75 other Medicare details previously. The finger was pointed at the Department of Human Services’ (DHS) Health Professional Online Services, HPOS, as anyone in health service with access to this could easily have their logins stolen or hacked, opening up access to records of patients’ Medicare information and name and date of birth.
Family Planning NSW
The sexual health and reproductive service was hit by hackers with a penchant for Bitcoin, so much so they demanded a ransom. The target of the heist was their online booking system with 8000 patient details affected. In all probability a type of ransomware was used, meaning they may not have attempted to actually view the exact data, but all the same there was outrage that women seeking this service could be in abusive relationships, from conservative families, or doing so without their partner’s knowledge.
Fresh off the back of revelations and indiscretions about their conduct concerning reviews and the sale of patient details to a law firm, HealthEngine reported a potential breach. With a web page code error blamed 59,600 feedback items were visible with 75 being classed as identifying.
Princess Alexandra Hospital / Queensland Health
Earlier this year an IT Contractor based at this Brisbane hospital wandered through the wards. With more than 5500 staff and comfortably over 100,000 patients admitted each year, you would expect a slick and secure operation. What he saw was paper taped to the walls with usernames and passwords for a pathology system that could reveal blood test results. No breaches have been reported but he did have time to scribble them down.
My Health Record
The dark-comedy that is the My Health Record cannot go a month without notable, dangerous concerns being highlighted. Although no “major” breach has yet to occur and senior officials have claimed it is watertight, it was reported meekly that in the 2016-17 financial year six breaches were recorded and in the 2015-16 financial year there were three. Medicare fraud and human error on the part of the Department of Health were blamed. Millions of eyes are now fixed on the My Health Record, waiting for more serious events (even more recently in November 2018 it was updated that there have now been 99 breaches to date).
Western Australia Health (WA Health)
For all the breaches due to simple human or technical error, there are others that have sadly been intentional. Recently it was discovered that between 2014 and 2017 there were 40 breaches of patient confidentiality under the State’s Health Services Act. Essentially this means staff were accessing patient records inappropriately. Despite occurring statewide across multiple hospital sites, but only 1 across WA Country Health Service’s hospitals, not one staff member has even been terminated from their employment. The response so far has been to double-down on training and education about data security.
And the wildcards…
Technically as these are not healthcare services or specific technology they almost did not make the cut, but can be equally as damaging.
Strathmore Secondary College
Human error is more often than not the cause of notable data breaches and this was no exception. 300 students from the school in Melbourne’s North West were horrified when their medications, mental health conditions and learning and behavioural difficulties were front and centre on the school’s intranet page from a Monday to Tuesday and for all to view.
Manor Lakes P-12 College
This South Western Melbourne school had some explaining to do when by chance a girl student discovered she had a file on her iPad containing hundreds of health records of her fellow pupils. With zero understanding of how it got there, the school interrogated her and then later apologised accepting she did not do it deliberately, instead claiming she used a teacher’s laptop with permission and then later the teacher was aware the students Google Drive account remained synced and uploaded the file. The records focussed on mental health and behavioural issues, arguably the most sensitive possible.
Aware of any we missed above? Or have a topic you would like Doctology to cover? Get in touch by email at email@example.com today.