More breaches than ever occurring at Australian companies

Healthcare shamed, email blamed as data breaches increase 17 percent in the second half of 2019

healthcare data breach / medical patient privacy security violation
Leo Wolfert / Getty Images

Efforts to help Australian healthcare providers reduce their exposure to data breaches don’t seem to be working, with the industry yet again topping the leaderboard as new figures from the Office of the Australian Information Commissioner (OAIC) flag a significant increase in the frequency of data breaches.

Poor email practices a big reason for healthcare’s increase in breaches

Fully 117 breaches of health service providers, and 77 breaches of finance and superannuation companies, were reported to the OAIC during the last six months of 2019 — extending a healthcare-industry streak that has continued unchallenged since the OAIC’s first report on the country’s mandatory notifiable data breach (NDB) policy in early 2018.

A total of 537 breaches were reported during the second half of 2019 — up 17 percent compared with the 460 breaches reported during the first two quarters of 2019 — bringing the total number of breaches for the year to 997.

This is the first time the OAIC has reported figures twice-yearly, having previously published quarterly summaries of NDB activity.

Almost one-third of the breaches during the second half of 2019 were linked to compromised login credentials, with phishing attacks blamed for more than 15 percent of the breaches. Malicious or criminal attacks were noted in 64 percent of breaches, while human error was blamed in 32 percent of all incidents — and 44 percent of healthcare breaches.

Australian information commissioner and privacy commissioner Angeline Falk blamed poor email practices — including the increasingly-common storage of sensitive personal information in email systems that are frequently being breached — as a key contributor to the ongoing issues with data privacy.

“Organisations should consider additional security controls when emailing sensitive personal information,” she said in announcing the new report, suggesting that password protection or encryption would offer appropriate security. “This personal information should then be stored in a secure document management system and the emails deleted from both the inbox and sent box.”

Healthcare the poster child for poor security

Ongoing problems with the security of healthcare information — which is among the most tightly-protected personal data there is, but also among the most valuable to hackers — have led the OAIC to develop a specific action plan to help the health sector reduce its exposure.

But the figures suggest that the plan has yet to make a dent in an industry where diversity of systems and data practices make it difficult for CSOs to apply consistent security policies.

The Australian experience is in line with reports from other countries, with a new Bitglass analysis of US Department of Health and Human services breaches finding that twice as many healthcare records were breached in 2019 than in the previous year – and that the number of affected individuals per breach nearly doubled over the same period, to 71,311.

Australian breaches tended to be smaller, with the majority of breaches affecting fewer than 100 individuals each — but the frequency of the breaches bodes poorly for privacy-sensitive Australians who are already cautious about the country’s move to mandatory electronic healthcare records.

The new figures represent more of the same for industry figures such as Sophos ANZ managing director John Donovan, who called for “radical change when it comes to cybersecurity” given the healthcare sector’s long string of poor performance. “Australians trust the healthcare sector with personally identifiable information (PII) like names and addresses, but also confidential details such as medical history and conditions,” he said. “It’s time for the industry to repay this faith and do more to protect Australians’ information.”

Terry Burgess, APJ vice president with Sailpoint, also slammed the results and called on business leaders to invest in “appropriate cybersecurity defences and staff education”, including boosting employee training around breach risks. “Ultimately, good policy and future investments in cybersecurity are contingent upon business leaders having a clear picture of the risks to make informed decisions,” he said. “As threats are increasing, business leaders need to put effort into continuously improving their companies’ cybersecurity postures to reduce the possibility of becoming a statistic.”

Copyright © 2020 IDG Communications, Inc.

The 10 most powerful cybersecurity companies