If you have experienced a patient data breach, contact us for professional advice immediately. Phone 1300 870 661 or complete this contact form and one of our team will get back to you as soon as possible.
Data breaches in any organisation are a serious concern. However, in a healthcare setting there can be additional risks. Hackers from the dark web will not hesitate to breach your client database in search of information that is considered to be sensitive under the Privacy Act. Hackers often have two main intentions for gaining access to your data:
- holding people and businesses to ransom; and
- on-selling this information for profit.
Therefore, it goes without saying how important it is to be prepared for what happens if or when your medical practice is the target of a patient data breach.
The following steps are a brief summary of the detailed manuals we customise for our medical practice clients. These steps can help your team be alert to the warning signs, understand how to protect patient information, and what to do in the event a patient data breach occurs.
1. Know what a patient data breach looks like
The first step is to identify an eligible data breach when it happens. To do this, you need to know what it looks like.
An eligible data breach occurs when there has been unauthorised access, disclosure, or loss of personal information, where the loss is likely to result in serious harm to a person or business.
Sometimes the access, disclosure, or loss may be very clear and obvious. For example, if a team member leaves their laptop (with client files stored on it) on the train. If access is unauthorised, you may be alerted by your IT system notifying you that you have been hacked and that patient files have been downloaded. However, in other cases, it might not be so clear.
Consider a scenario in which you check the log in data of your patient management files and then discover that an intern (who does not have authority) has been viewing patient files.
To avoid this within your practice, ensure that every team member has their own logins and are aware that sharing logins is not permitted. Also, there should be procedures in place for when people leave the clinic, to ensure that access is always removed and updated.
2. Be aware of your obligation to notify
Not only do practices need to be aware of the Australian Privacy Principles, but you also need to be aware of, and understand, your obligations under the Notifiable Data Breach Scheme.
The Notifiable Data Breaches Scheme requires organisations (referred to in the legislation as APP entities) to notify both you and the OAIC (Office of the Australian Information Commissioner) of any breaches. You are also required to notify any affected individuals where a data breach is likely to result in serious harm.
3. Initiate a potential breach assessment
Time is precious when it comes to data breaches.
If you suspect your clinic has been the target of a data breach, you must initiate an assessment immediately. You will need to appoint the Practice Manager or another team member to be responsible for the assessment. You should also seek the support of someone external, such as a specialist lawyer, for professional advice.
The assessment must be completed within 30 days, and the clock starts the moment you are aware that there may have been a data breach.
4. Investigate the potential data breach
Gather all information relating to the breach to try and determine what has happened. The person responsible for the assessment should speak with all relevant people within your clinic setting. The more information you can gather, the better.
The person you appointed as responsible for the assessment should look at all the information and decide whether there has been a notifiable data breach.
If the practice owner and the person responsible for the assessment determine there has not been an eligible data breach, you should record your assessment and findings, and update any processes or policies that are necessary to prevent a data breach of that kind from occurring in the future.
If, however, it is determined that there has been a data breach, you should proceed to determine whether that breach is likely to result in serious harm. Seeking the advice of a specialist lawyer can provide insight to aid this decision-making.
Although these steps are a summarised version of our detailed manual, there is much to consider and how you and your team respond to a potential data breach is key. You should not hesitate in seeking legal advice to ensure you follow a strict, detailed protocol if you suspect a data breach has occurred.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.