But at least the sector is identifying and reporting incidents faster than most, and, unlike the government, most breaches are not due to human error.
Health service providers have taken pole position in the Office of the Australian Information Commissioner’s most-breached sectors report, with the “good” news being the breaches are being reported and identified quickly.
Yesterday, the OAIC released its biannual report on notifiable data breaches, spanning 1 July to 31 December 2023.
Over the six-month period, there were 483 notifications across all sectors, up 19% from the previous six months.
The sector taking the pole position with the highest number of breaches: health.
Over the reporting period, 22% of all notifications came from health service providers, for a total of 104 breaches.
“Health service providers and the finance industry have consistently reported the most data breaches of all sectors since the National Data Breaches scheme began,” noted the paper.
Health information was exposed in 41% of all data breaches, taking third place, following contact and identity information.
Just over half of the breaches within the health sector were malicious or criminal attacks.
Most of these malicious attacks – 38 out of the 55 percentage points – were found to be cyber incidents – targeting computer information systems, infrastructures, computer networks or personal computer devices – which mostly comprised of phishing (15%), ransomware (10%), and compromised or stolen credentials (method unknown; 10%).
The rest of the breaches in the sector were due to human error (46%) and system fault (3%).
“Only three of the top five sectors – health service providers, finance and insurance – notified data breaches resulting from system faults,” noted the paper.
Within the health sector, most human error breaches were a result of emails sent to the wrong recipient, loss of paperwork, failure to BCC in an email, and unintended publication or release.
Interestingly, the cause of the breaches followed the same pattern overall across all sectors and in four out of the five most-breached sectors: malicious attack was the cause of most breaches, followed by human error and then system fault.
The exception to the rule was the Australian government, which had not been in the top five breached sectors since early 2021.
“In contrast with the other sectors in the top five, Australian Government agencies notified more data breaches caused by human error (68%) than those caused by malicious or criminal attacks (32%),” read the report.
Thankfully, within the health sector three-quarters of the breaches were identified and 86% were reported to the OAIC within 10 days, more than for any of the other four most-breach sectors.
The other most breached sectors included finance (10%), insurance (9%), retail (8%), and the federal government (8%).
While 65% of the breaches affected 100 people or less, there were 26 “large-scale” breaches affecting over 5000 people, 22 of which were caused by cyber incidents.
“Cyber incidents continued to be the leading cause of data breaches that impacted a large number of Australians,” noted the report.
“The top causes were compromised or stolen credentials (9 notifications), ransomware (8 notifications) and hacking (4 notifications).”
The OAIC encouraged entities to review their processes to mitigate data breaches by cyber incident and to implement the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) prioritised mitigation strategies.
“The most effective of these mitigation strategies is the Essential Eight.”
The OAIC warned that the breaches had brought to light the risks of retaining personal information and recommended that entities implemented data retention policies.
It used the example of a phishing attack on a health services provider and noted that an operationalised data retention policy could reduce the scale and cost of a data breach.
The OAIC also outlined the importance of promptly identifying data breaches.
It used a scenario entailing a stolen wastepaper bin, which was used to dispense of patient information, to make its point.
In the scenario, while the health service provider notified the police on the day of the incident, affected patients and the Information Commissioner were not notified until the police had found the bin many months later, which had indeed been stolen and tampered with.
“The health service provider ought to have become aware that there were reasonable grounds to suspect there may have been an eligible data breach on the day it realised the bin was missing and notified the police,” advised the OAIC.
“The additional certainty that may have been provided by the police’s later confirmation of theft was not necessary to meet the threshold of reasonable suspicion.”