The private health services industry is once again the sector with the highest number of reported data breaches in Australia, accounting for 18% of all breaches notified to the Office of the Australian Information Commissioner (OAIC) during the latter half of 2021.
Out of the total 464 data breach notifications sent to the OAIC during the six months to December, private health service providers reported 83 of them. Finance filed the second most with 56, while legal, accounting, and management services rounded out the top three with 51.
The 464 data breaches received by the information commissioner under the Notifiable Data Breaches (NDB) scheme marked a 6% increase when compared to the first half of 2021.
Looking at the data breaches notified to the commissioner during this period, malicious or criminal attacks remained as the leading source of breaches, accounting for 256 notifications. Despite malicious or criminal attacks being the biggest reason for data breaches, the 256 notifications are a 9% decrease from the previous period.
At the same time, there was a significant rise in breaches due to human error, which increased by 43% to 190, after a dip in the previous period. System faults, meanwhile, were the source of 4% of data breaches during the period.
Unpacking the top causes of human error breaches notified to the OAIC, 43% of them were due to personal information being emailed to the wrong recipient, 21% were due to unintended release, while 8% arose from people losing paperwork or data storage devices.
Most breaches, 85%, involved contact information such as an individual’s name, home address, phone number or email address. Identity information such as date of birth, passport details and driver licence details were exposed in 40% of data breaches. Financial details, such as bank account and credit card numbers, were involved in 39% of breaches.
The NDB scheme has been in operation since early 2018, with Information Commissioner Angelene Falk saying she now expects organisations to have strong accountability measures in place to prevent and manage data breaches in line with legal requirements and community expectations.
Despite this expectation, Falk noted that some organisations have continued to fall short of the scheme’s assessment and notification requirements. For example, 11% of organisations that experienced system faults did not become aware of the incident for over a year.
“Delays in assessment and notification reduce the opportunities for an individual to take steps to protect themselves from harm,” Falk said.
“If organisations wish to build trust with customers, then it is essential they use best practice to minimise data breaches and, when they do occur, they put individuals at the centre of their response.”
Last month, the OAIC called for more data accountability measures in light of the Attorney-General’s Department (AGD) seeking consultation for its review of the Privacy Act.
The AGD began its review into the country’s Privacy Act at the end of 2020 as part of the Commonwealth’s response to the Australian Competition and Consumer Commission’s Digital Platforms Inquiry, which found the laws needed to be updated to adequately protect consumers and their data.
Among the measures being pushed by the OAIC is a central obligation to collect, use, and disclose personal information fairly and reasonably for entities under the scope of Australia’s Privacy Principles.
