Spotlight on privacy as health sector reports most data breaches

The health sector remains the highest-reporting industry for data breaches, with health service providers notifying 83 data breaches during the period for July–Dec 2021 – making up 18% of the 464 total breaches.
 
This information comes from the latest Office of the Australian Information Commissioner (OAIC) Notifiable Data Breaches (NDB) report. It confirms that health service providers and the finance industry have consistently reported the most data breaches of all industry sectors since the NDB scheme began in 2018.
 
For this year’s Privacy Awareness Week (2–8 May), the RACGP is again supporting the OAIC to raise awareness off and remind general practices how to minimise risks of data breaches and information security attacks.
 
According to the college, maintaining privacy is one of the key principles of delivering safe, quality healthcare, and practices are advised to have robust policies and procedures in place.


Dr Rob Hosking, Chair of the RACGP Expert Committee – Practice Technology and Management (REC–PTM), said that although privacy is ‘something most GPs are very much aware of’, practices remain at risk.
 
‘Breaches are usually inadvertent and due to a breakdown in processes,’ Dr Hosking told newsGP.
 
‘With increasing digitisation and automation of our services the risks of breaches keep increasing.’
 
Although now considered somewhat of an ‘old risk’, Dr Hosking said written referrals could still present a problem if the GP does not check with the patient whether they want all their information included in every referral.
 
A computer-generated referral may automatically include information the patient does not want other people to know about.
 
‘This may result in a breach by providing the patient with an unsealed paper referral or email that is then visible to other family members if it is left lying around,’ Dr Hosking explained.
 
‘Or it may be the patient feels it is inappropriate that [for example,] a podiatrist referral includes all of their past sexual health history – such as terminations of pregnancy, sexually transmitted diseases, erectile dysfunction – or mental health history and medications taken for these conditions.
 
‘Of course, this information may be appropriate in a referral to a specialist dealing in a related area of the patient’s health.’
 
With some practices recently impacted by floods, Dr Hosking is concerned about the implications of lost patient records, which could be considered a potential breach of privacy.
 
He recommends reducing the risks by either using a cloud-based system or daily back-up and removal of the backed-up data every day away from the practice.
 
In addition to the RACGP’s suite of privacy resources available for GPs and practices, the OAIC’s Guide to health privacy is designed to support health service providers to understand their obligations under the Privacy Act 1988, and ‘embed good privacy in their practice’.
 
Dr Hosking said the college resources provide advice around common ‘sensitive areas’ such as providing patient records to third parties, and he reminds GPs to apply an individual approach when asking patients for information.
 
‘There are great safeguards that can be used within our computer systems to prevent [patient data breaches], such as preferences in recording patient past history, or using encrypted secure messaging systems or password-protected emails,’ he said.
 
‘It still requires GPs to consider the sensitivity of what they are writing and the means of providing this information. Almost every case will be different, and a brief discussion may be required.’
 
Likewise, uploading information to the My Health Record is best done in consultation with a patient particularly if it appears there is potentially sensitive information on a computer record, Dr Hosking said.
 
In the July–Dec 2021 period, the health sector reported an equal number of breaches resulting from malicious or criminal attack and human error (47% each).
 
Malicious or criminal attacks remain the leading source of all breaches for all sectors, accounting for 256 notifications (55% of the total), in the six-month period. Data breaches resulting from human error accounted for 190 notifications (41% of the total).
 
The focus of Privacy Awareness Week 2022 is to establish and strengthen a ‘foundation of trust’ to protect privacy.
 
OAIC Privacy Commissioner Angelene Falk recently said it is ‘essential’ that organisations use best practice to minimise data breaches and, when they do occur, put individuals at the centre of their response to build trust.
 
‘A key objective of the [NDB] scheme is to protect individuals by enabling them to respond quickly to a data breach to minimise the risk of harm,’ Commissioner Falk said.
 
‘Delays in assessment and notification reduce the opportunities for an individual to take steps to protect themselves from harm.’
 
Dr Hosking reminds GPs that practice staff should be supported in being aware of any potential risks.
 
‘It’s also important that our support staff are aware of potential security issues before they send or provide information to a patient,’ he said.
 
‘Even a family member attending the practice to collect a prescription on behalf of the patient is a potential privacy breach – we had a complaint about this in our practice and developed systems to avoid this issue.
 
‘The new eScript system is also a [potential] risk, as we may inadvertently send an eScript to the wrong phone number or email address.
 
‘While it is much more convenient to use this new system, it is good practice to check the phone number or email you are planning to use before sending.’
 
In addition to the RACGP’s suite of privacy resources, the Using email in general practice fact sheet has also been recently updated as a useful tool for GPs.

Log in below to join the conversation.

data breach information security OAIC practice security privacy awareness