Human error remains main cause of private health data breaches
- 07 February, 2019 10:38
Angelene Falk (OAIC)
Once again the private health sector has topped the list of sectors with most data breach reports to the Office of the Australian Information Commissioner (OAIC) from October to December 2018.
Out of the 262 data breaches reported to the OAIC under the Australian Notifiable Data Breach (NDB) scheme, 54 came from the private health sector followed by finance (40); legal, accounting and management services (23); private education providers (21) and mining and manufacturing (12).
Most of the breaches reported from all sectors were originated from malicious or criminal attack (64 per cent), especially in the finance sector. With private health sector however, human error is still the main issue – 54 per cent of the breaches were a result of human error.
The majority of the malicious or criminal attacks reported in the quarter were attributed to a cyber incident, most as a result of phishing attacks.
Human error includes failure to use 'BCC' when sending emails; loss of paper work; sending messages to the wrong recipient via email, phone, fax and others; unauthorised disclosure including failure to redact, unintended release and verbal disclosure.
Unauthorised or unintended data disclosure affected an average of 17,746 people per, considering all sectors together. Insecure disposal of data affected 300 individuals per breach and the failure to use BCC when sending emails affected 234 per breach in the latest quarter.
Health and Finance
The number of breaches reported in the financial sector increased from 35 in the previous quarter (July to September) to 40.
A total of 70 per cent of those were the result of malicious or criminal attacks, with 27 per cent attributed to human error and three per cent due to system faults.
Meanwhile, private health saw 54 per cent of the breaches originate from human error, 46 per cent from malicious attacks and no system failures.
The sector also saw an increase in notifications from 45 in the previous reported quarter to 54 within the October to December period.
Specific to human error, examples include sending personal information to the wrong recipient by email (28 per cent of human error data breaches), failure to use the blind carbon copy (BCC) function when sending group emails (24 per cent), and unintended release or publication of personal information (17 per cent).
Australian Information Commissioner and Privacy Commissioner Angelene Falk said preventing data breaches and improving cyber security must be a primary concern for organisations entrusted with people’s personal data.
“Employees need to be made aware of the common tricks used by cyber criminals to steal usernames and passwords," Falk said. “If a data breach occurs, early notification can help anyone who is affected take action to prevent harm.
“By changing passwords, checking your credit report, and looking out for scams using your personal information, you can help minimise the harm that can result from a data breach,” she added.
In April 2018, the OAIC released the first quarterly report revealing 63 notifications were received during the first six weeks of the scheme.
Out of the 63 notifications received, 51 per cent "indicated" that the cause was human error, 44 per cent were the result of malicious or criminal attack and three were the result of system faults.