Private health service providers responsible for the most data breaches

The Office of the Australian Information Commissioner (OAIC) recently released its quarterly statistics report on the Notifiable Data Breach (NDB) scheme.
 
A total of 245 data breaches affecting personal information were reported between 1 July and 30 September. The largest source of data breaches by sector was private health service providers, responsible for 45 of these breaches.
 
Dr Rob Hosking, GP and Chair of the RACGP Expert Committee – Practice Technology and Management, is not surprised by these findings.
 
‘I think it’s partly that there is a lot of health information that’s transferred around,’ he told newsGP.
 
‘We are trying to work at improving that from a GP perspective with trying to encourage GPs to use secure messaging systems, not to use plain unencrypted email. We’re trying to move away from the fax and use these secure messaging systems.’
 
The NDB report found a significant proportion of the breaches in the health sector were avoidable.
 
‘Human error was to blame for 56% of the data breaches notified by the health sector,’ OAIC Acting Deputy Information Commissioner Melanie Drayton told newsGP.
 
‘This includes personal information being emailed, mailed or faxed to the wrong person, or loss of paperwork or storage devices.’
 
Malicious or criminal attack was responsible for 42% of breaches, Ms Drayton said. These include cyber incidents such as phishing and theft of paperwork or storage devices.
 
Ms Drayton said this data shows how important it is for everyone who handles personal information in their work to understand how data breaches can occur so they can better prevent them.
 
Dr Hosking agrees.
 
‘There’s the Information security in general practice guidelines that [the RACGP] publishes and tries to encourage GPs to implement in their practices,’ he said.
 
This handbook includes information on protecting Wi-Fi networks, creating a culture of information security within a practice through education and practice policies, and explores ways to manage access to systems and data.
 
Dr Hosking said another issue is that, even if GPs are aware of procedures to reduce the risk of breach, other practice staff members may not be as aware of the issues or how to prevent them, which is why all staff members require education on this issue.
 
‘A lot of it is about behaviour throughout practices, and thinking carefully when they’re sending information from their practice or even making information available within their practice,’ he said. ‘Who is able to access it? Who can view the screens?
 
‘Even walking out of the room while another patient is in the room, and you’ve left a previous patient’s information on the screen, that’s possible data breach.’
 
The RACGP is currently developing a new factsheet for general practices on the NDB scheme, as well as a flow chart outlining the steps required when a data breach has occurred in the practice.
 
‘Practice managers and GPs should make themselves aware of how they can protect their patients’ privacy,’ Dr Hosking said ‘And also protect themselves from coming to harm by inadvertently breaching the regulations and then suffering the consequences.’
 
Health service providers have been the largest source of data breaches since the OAIC commenced the NDB scheme in February this year, topping the list in each quarter. Since the scheme’s inception, 109 of 550 reported data breaches have been attributable to health service providers.

information Notifiable Data Breach Office of the Australian Information Commissioner privacy