More than twelve months after the commencement of the Australian Notifiable Data Breach Scheme,1 statistics published by the Office of the Australian Information Commissioner (OAIC) have begun to reveal trends present in the 812 notifiable data breaches recorded in Australia between 22 February and 31 December 2018. One key trend is the clear susceptibility of the health care industry, which suffered one fifth of all data breaches recorded in Australia throughout 2018, the highest number on an industry scale.
There is a cruel sense of irony that the services we turn to when we are vulnerable are themselves vulnerable, suffering data breaches that may harm us financially, psychologically or, in extreme circumstances, physically. The figures are stark, with 163 notifiable data breaches suffered by health sector businesses that are subject to the federal Privacy Act 1988 (Cth), which does not include the country's major hospitals operated under State jurisdictions. On top of these figures, the Australian Digital Health Agency, the agency responsible for administering the controversial 'My Health Record' system,2 reported that a further 42 data breaches affected Australian My Health Records throughout 2018, which are also excluded from the statistics recorded in the OAIC's reports.
For industries in the health sector, and those advising on cyber security, the question inevitably arising out of these figures is – why? Are these statistics merely the result of statistical variation over a limited period, or are there industry-specific factors that contribute to the prevalence of data breaches? This question cannot be answered definitively, but there are statistical anomalies within health sector data breach figures which provide further insight. In the period between 1 April 2018 and 31 December 2018 there were 83 notifiable data breaches in the health sector caused by human error, comprising 56% of the total breaches throughout that period.3 This figure is alarmingly high. In contrast, the percentage of data breaches caused by human error in all other industries is a mere 30%.4
The OAIC's quarterly statistic reports delve into further detail on the context of these breaches, assigning each human error data breach to a general category of the circumstance of its occurrence. These statistics indicate that the most common way in which human error data breaches occur include:
- sending personal information to incorrect recipients by fax, email or otherwise;
- failing to blind copy additional recipients to joint email chains; and
- loss of paperwork or storage devices.
There are various hypotheses regarding why these data breaches occur more frequently in the health sector than other industries. Some propose that the industry is comprised of a lesser proportion of 'digital natives' than other industries due to the generally older age demographic of employees in the industry. Other potential explanations are that there are embedded virtues of trust and compassion in the health industry that may lead employees to be more susceptible to fraud or less aware of risks. Additionally, high-pressure working conditions may also play a part. Regardless of the potential reasons behind these trends, the health sector must improve its internal data security standards or risk continuing to suffer data breaches at a rate greater than any other industry.
Promisingly, the statistics and trends discussed above indicate that there is scope for improvement via relatively simple avenues. The human errors that cause the majority of data breaches usually involve a simple lack of attention to detail, such as confirming correct address recipients and ensuring security of physical files. Businesses can go a significant way towards addressing the industry's shortcomings through greater awareness and personnel training.
To avoid becoming another statistic, healthcare providers must be cognisant of the unique risks associated with their industry and take simple steps to reduce the risk of a data breach.
1 For further information regarding the operation of the Notifiable Data Breach Scheme in Australia generally please refer to our earlier client alert.
2 Established under the My Health Records Act 2012 (Cth), the My Health Record system is an online system that compiles participants' health records over time and allows approved health service providers to access those records when treating patients, providing greater patient flexibility in the health industry.
3 Please note that industry-by-industry figures are unavailable for the first quarter of 2018.
4 Being 182 human error data breaches out of a total of 601 in all other industries, including finance, professional services and education.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.