The healthcare sector reported the most number of data breaches in Australia between January and June this year, according to the latest report by the Office of the Australian Information Commissioner.

FINDINGS

According to OAIC's website, a data breach occurs when personal information of an organisation or agency is lost or subjected to unauthorised access or disclosure, such as when a customer’s personal information is lost or stolen, a database with personal information is hacked or personal information is mistakenly given to a wrong person. 

The OAIC said in the biannual report that the healthcare sector reported the most cases of a data breach at 85, which accounted for almost a fifth of all notifications. 

It was found that malicious or criminal attacks (48 cases) were the main source of breaches within the sector, which is a "significant shift" from previous reports that consistently indicated human error as the main cause. 

Most attacks or 31 cases were cyber incidents, such as phishing (10) and ransomware (10).  

Overall, there were 446 data breaches reported in the first six months of 2021 across entities in healthcare, finance, legal, accounting and management, insurance and the government. This represents a 16% drop compared to the July-December 2020 period. Most notifications were made in March (102).

Malicious or criminal attacks were the leading source of breaches, making up 289 or 65% of the total notifications. The most common type of personal information compromised in breaches is contact information. 

The report said that 93% of data breaches affected 5,000 individuals or fewer, while 65% hit 100 people or fewer.

WHY IT MATTERS

The OAIC said there is "cause for concern" over the increased incidence of ransomware across all sectors, rising from 37 to 46. Since it can be difficult for organisations to assess what data has been accessed or exfiltrated, some entities may not be reporting all eligible data breaches involving ransomware. 

THE LARGER TREND

Among recent cyber incidents in the Australian healthcare sector was the ransomware attack at UnitingCare Queensland on 25 April. It affected the hospital group's internal IT system, forcing them to turn to paper-based operations. A group that identifies as REvil/Sodin claimed responsibility for the incident. The healthcare provider only went back online after over a month.

ON THE RECORD

"We expect entities to have appropriate internal practices, procedures and systems in place to assess and respond to data breaches involving ransomware, including a clear understanding of how and where personal information is stored across their network," said Australian Information Commissioner and Privacy Commissioner Angelene Falk.