October 29, 2020

Volume X, Number 303

Advertisement

October 29, 2020

Subscribe to Latest Legal News and Analysis

October 28, 2020

Subscribe to Latest Legal News and Analysis

October 27, 2020

Subscribe to Latest Legal News and Analysis

The Un-healthiness of the Australian Health Sector’s Data Security

More than twelve months after the commencement of the Australian Notifiable Data Breach Scheme,[1] statistics published by the Office of the Australian Information Commissioner (OAIC) have begun to reveal trends present in the 812 notifiable data breaches recorded in Australia between 22 February and 31 December 2018. One key trend is the clear susceptibility of the health care industry, which suffered one fifth of all data breaches recorded in Australia throughout 2018, the highest number on an  industry scale.

There is a cruel sense of irony that the services we turn to when we are vulnerable are themselves vulnerable, suffering data breaches that may harm us financially, psychologically or, in extreme circumstances, physically. The figures are stark, with 163 notifiable data breaches suffered by health sector businesses that are subject to the federal Privacy Act 1988 (Cth), which does not include the country’s major hospitals operated under State jurisdictions. On top of these figures, the Australian Digital Health Agency, the agency responsible for administering the controversial ‘My Health Record’ system,[2] reported that a further 42 data breaches affected Australian My Health Records throughout 2018, which are also excluded from the statistics recorded in the OAIC’s reports.

For industries in the health sector, and those advising on cyber security, the question inevitably arising out of these figures is – why? Are these statistics merely the result of statistical variation over a limited period, or are there industry-specific factors that contribute to the prevalence of data breaches? This question cannot be answered definitively, but there are statistical anomalies within health sector data breach figures which provide further insight. In the period between 1 April 2018 and 31 December 2018 there were 83 notifiable data breaches in the health sector caused by human error, comprising 56% of the total breaches throughout that period.[3] This figure is alarmingly high. In contrast, the percentage of data breaches caused by human error in all other industries is a mere 30%.[4]

The OAIC’s quarterly statistic reports delve into further detail on the context of these breaches, assigning each human error data breach to a general category of the circumstance of its occurrence. These statistics indicate that the most common way in which human error data breaches occur include:

  • sending personal information to incorrect recipients by fax, email or otherwise;
  • failing to blind copy additional recipients to joint email chains; and
  • loss of paperwork or storage devices.

There are various hypotheses regarding why these data breaches occur more frequently in the health sector than other industries. Some propose that the industry is comprised of a lesser proportion of ‘digital natives’ than other industries due to the generally older age demographic of employees in the industry. Other potential explanations are that there are embedded virtues of trust and compassion in the health industry that may lead employees to be more susceptible to fraud or less aware of risks. Additionally, high-pressure working conditions may also play a part. Regardless of the potential reasons behind these trends, the health sector must improve its internal data security standards or risk continuing to suffer data breaches at a rate greater than any other industry.

Promisingly, the statistics and trends discussed above indicate that there is scope for improvement via relatively simple avenues. The human errors that cause the majority of data breaches usually involve a simple lack of attention to detail, such as confirming correct address recipients and ensuring security of physical files. Businesses can go a significant way towards addressing the industry’s shortcomings through greater awareness and personnel training.

To avoid becoming another statistic, healthcare providers must be cognisant of the unique risks associated with their industry and take simple steps to reduce the risk of a data breach.


[1] For further information regarding the operation of the Notifiable Data Breach Scheme in Australia generally please refer to our earlier client alert.

[2] Established under the My Health Records Act 2012 (Cth), the My Health Record system is an online system that compiles participants’ health records over time and allows approved health service providers to access those records when treating patients, providing greater patient flexibility in the health industry.

[3] Please note that industry-by-industry figures are unavailable for the first quarter of 2018.

[4] Being 182 human error data breaches out of a total of 601 in all other industries, including finance, professional services and education.

© Copyright 2020 Squire Patton Boggs (US) LLPNational Law Review, Volume IX, Number 123
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

Margie M. Tannock, Squire Patton, Corporate Governance Lawyer, Australia, Land Access Attorney
Partner

Margie Tannock’s practice focuses on advising clients from all sectors on statutory approvals, corporate governance, compliance and public law. She works closely with clients to resolve regulatory risk across all aspects in corporate decision making, especially relating to major projects, environmental, planning and land access authorisations.

Margie delivers strategic advice and commercial solutions involving property and infrastructure developments. She has advised on regulatory permitting and licencing for major resource and energy projects, including port,...

61 8 9429 7456
Connor McClymont Corporate Attorney Squire Patton Boggs Perth, Australia
Associate

Connor McClymont is an associate in our Corporate Practice Group, advising clients on a wide range of corporate transactions, focussing on capital markets and corporate governance. Connor also advises clients on data privacy and cybersecurity regulatory compliance and best practice. He works with clients to implement bespoke compliance frameworks and offers advice grounded in understanding the nature of their operations. He has advised clients on a range of matters in related fields, including consumer protection and employment.

Connor has experience assisting on capital market...

61 8-9429-7534
Charlotte Osborne, Squire PB, environmental lawyer
Senior Associate

Charlotte Osborne advises clients from all sectors on planning and environmental law, and related regulatory and public law matters.

Charlotte is an approachable and pragmatic lawyer with more than 11 years’ experience advising clients from a range of sectors in regulatory, local government and commercial law.

As part of the Energy & Natural Resources team, Charlotte mainly advises in the areas of town planning, development, environmental, administrative and public law.

Prior to joining the firm, Charlotte practised environment and planning law...

61 8 9429 7592
Advertisement
Advertisement