Breach Response , Data Breach , Governance
Leak Has Been Reported to Australia's Data Regulator(jeremy_kirk) • December 19, 2018 A HBF branch in Joondalup, Western Australia (Photo: HBF)A large health insurer in Western Australia inadvertently shared the home addresses of some psychologists to a web-based appointment booking service, the West Australian reported Wednesday.
See Also: Third-Party Cyber Risk Management - A Data-Driven Approach
The health insurer, HBF, passed names and addresses for psychologists to Whitecoat, a company that develops an online booking and patient review mobile application and website. The details have since been removed. The same details for dentists, dieticians and remedial massage therapists were also passed onto Whitecoat.
—John Van Der Wielen, CEO, HBF
The West Australian writes that HBF has notified 7,000 psychologists. Some of the psychologists work from home and did not have a separate location for their practice. The breach came to light after a psychologist saw their personal address on Whitecoat.
Efforts to reach HBF on Wednesday were not immediately successful.
Exec: Data Should Have Been Scrubbed
HBF CEO John Van Der Wielen tells the Western Australian: "We should have scrubbed the data or sent it in a different manner to avoid this, and while we think it might have only affected a small number of psychologists for a short period of time, we have to be squeaky clean. I'm treating it with the utmost severity but in reality we haven't published bank account details or family details."
Voter registration rolls in Australia contain names and addresses. But medical professionals are among those who can be granted silent elector status - in which only their name appears on the roll. That status is granted on a case-by-case basis and approved by a divisional returning officer, according to the Australian Electoral Commission.
Another One For The Tally
The incident has been reported to the Office of the Australian Information Commissioner, which oversees the country's data protection regulations.
In February, an amendment to Australia's Privacy Act went into effect that for the first time put in place a mandatory notification requirement for certain types of organizations for certain classes of data breaches. The law applies to companies and governmental organizations that are covered by the Privacy Act 1988 (see: Australia Enacts Mandatory Breach Notification Law).
Businesses that have less than 3 million Australian dollars ($2.2 million) in annual revenue are excluded from the reporting requirement. The fines for violations range from AU$360,000 for individuals to AU$1.8 million for organizations.
Before the law, many organizations had followed the best practice advice from the OAIC, which recommended that breaches be voluntarily reported. The threshold for reporting was a leak or theft of information that's likely to result in "serious harm."
The OAIC offered guidance to organizations on how that determination is to be made: "Whether a data breach is likely to result in serious harm requires an objective assessment, determined from the viewpoint of a reasonable person in the entity's position."
A factor that can contribute to whether a breach could cause serious harm is whether several piece of information have been leaked at the same time. Another consideration is whether the leak involves data often used for identity fraud, such as a driver's license number, passport details, Medicare card or financial details, the OAIC says.
The OAIC has received a steady drip of reports, which it summarizes in quarterly updates. While some breaches prior to the law taking effect did become public, the OAIC's reports have shed a light on frequency of data mishaps and malicious incidents.
The third quarterly report for the year, released on Oct. 30, showed the OAIC received 245 notifications between July and September. A little over a third of those incidents resulted from human error, with more than half the result of malicious or criminal activity.