Privacy and Security Community of Practice article I Sharon Campbell
The news this week from the West….a complete list of passengers potentially exposed to the Monkey Pox Virus was emailed to one passenger (with a highlighted name) https://www.yasstribune.com.au/story/7864599/wa-health-sorry-over-monkeypox-data-breach/?cs=7 .
As shocking as it sounds this is not an isolated incident nor will it be the last data breach in Australia. The Notifiable Data Breaches report from the OAIC (2021)[i] notes that 41% of all data breaches are due to human error and in the past reporting period had significantly increased by 43%. The top causes of human error breaches are noted as being:
- Personal information emailed to wrong recipient-43%
- Unintended release or publication-21%
- Loss of paperwork or storage device-8%
So what could be contributing to the rise in human error and release of patient information? This is not an area that has been fully considered or mentioned in such publications as the Notifiable Data Breaches Report (OAIC 2021). Contributing factors may include:
- Lack of personal supervision-previously employees may have had a supervisor double check work prior to release etc but this has reduced when remote working commenced.
- Casual environment-this is pure speculation, but what if a more casual home environment has inadvertently led to reduced standards by some?
- Distractions-Employees may have been distracted by other distractions such as family members or pets in the home [ii].
You may have the majority of your staff working from a hospital base, so this may not contribute to the reasons for the breaches, however it is worth looking at all avenues of potential causes and this is just one area. Research into remote work and data breaches by IBM found that there were significant cost differences of an average of nearly USD 1 million compared to breaches experienced where remote working wasn’t a factor. In Australia the average cost of a significant data breach was estimated to be $2.92 million. Of course, the smaller breaches will be a lot less, but it is still worth considering the cost involved in managing and containing the breach.
The report further identified that Healthcare experienced the greater number and highest cost of data breaches compared with all other industries. The top two reasons for data breaches were identified as Business email compromise and Phishing[iii].
As HIMs we need to keep pushing for such improvements as privacy education, privacy impact statements and reviews. Education needs to be ongoing and not a one-off occurrence when the employee commences. Given the challenges that we continue to face, with digital transformation and working from home/remote locations we need to be even more vigilant. Further research is definitely needed here!
[1][1] OAIC. 2021. Notifiable Data Breaches Report. Available at: Notifiable Data Breaches Report: January–June 2021 – Home (oaic.gov.au)
[1] Sharp, C. 2021., Data Breaches in Australia: Spike in human error linked to data breaches during COVID crisis. Available at: https://checkpoint.cvcheck.com/data-breaches-in-australia-spike-in-human-error-linked-to-data-breaches-during-covid-crisis/
[1] IBM Security. 2022. Cost of a Data Breach Report. Available at: https://www.ibm.com/au-en/security/data-breach
[i][i] OAIC. 2021. Notifiable Data Breaches Report. Available at: Notifiable Data Breaches Report: January–June 2021 – Home (oaic.gov.au)
[ii] Sharp, C. 2021., Data Breaches in Australia: Spike in human error linked to data breaches during COVID crisis. Available at: https://checkpoint.cvcheck.com/data-breaches-in-australia-spike-in-human-error-linked-to-data-breaches-during-covid-crisis/
[iii] IBM Security. 2022. Cost of a Data Breach Report. Available at: https://www.ibm.com/au-en/security/data-breach