Health sector and government under scrutiny: Record data breaches expose millions

Digital & Innovation: The national privacy regulator has raised alarm over escalating threats, reporting a record surge in data breach notifications. With civil penalty proceedings now underway against Medibank Private and Australian Clinical Labs, the OAIC is intensifying scrutiny on organisations failing to protect personal information.

New data from the Office of the Australian Information Commissioner (OAIC) reveals Australia recorded 527 data breach notifications in the first half of 2024 – the highest in the past 3.5 years and marking a 9% increase compared to the previous six months.

Australian Privacy Commissioner, Carly Kind, described this spike as a clear indicator of growing threats to Australians’ privacy.

“Almost every day, my office is notified of data breaches where Australians are at likely risk of serious harm. This harm can range from an increase in scams and the risk of identity theft to emotional distress and even physical harm,” Commissioner Kind said.

“Privacy and security measures are not keeping up with the threats facing Australians’ personal information and addressing this must be a priority.”

Cybersecurity incidents continue to be a prevalent cause of data breaches, representing 38% of the total and the reason as to why it is attracting the top technology investment for Australian and New Zealand (ANZ) companies.

The healthcare sector (19%) and federal government (12%) are the most affected, with criminal attacks responsible for a staggering 67% of breaches. Human error, still a significant concern, accounted for 30% of the breaches.

One breach that has particularly raised eyebrows involved the MediSecure prescription delivery service, impacting 12.9 million individuals – the largest data breach since the Notifiable Data Breaches scheme was introduced six years ago.

Commissioner Kind highlighted the evolution of expectations under the scheme, saying, “The Notifiable Data Breaches scheme is now mature, and we are moving into a new era in which our expectations of entities are higher.

“Our recent enforcement action, including against Medibank and Australian Clinical Labs, should send a strong message that keeping personal information secure and meeting the requirements of the scheme when a data breach occurs must be priorities for organisations.”

The release of the OAIC’s report coincides with the Australian Government’s introduction of the Privacy and Other Legislation Amendment Bill 2024. The Bill seeks to enhance the OAIC’s enforcement powers, proposing a strengthened civil penalty regime and new infringement notice powers. It also aims to tighten security obligations under Australian Privacy Principle 11, requiring organisations to adopt robust technical and organisational safeguards, such as data encryption and staff training.

While the OAIC has welcomed these new measures, it stressed that further reforms, in line with the government’s response to the Privacy Act Review, are necessary to elevate security standards across the economy and improve the Notifiable Data Breaches scheme.

“We would like to see all organisations be required to build the highest levels of security into their operations to protect Australians’ personal information to the maximum extent possible,” Commissioner Kind emphasised.

In reimagining healthcare, Health Industry Hub^TM is the ONLY one-stop-hub uniting the diversity of Pharma, MedTech, Diagnostics & Biotech sectors to inspire meaningful change. The exclusive leadership and influencer podcasts and vodcasts offer unparalleled insights and add immense value to our breaking news coverage.

The Health Industry Hub^TM content is copyright protected. Access is available under individual user licenses. Please click here to subscribe and visit T&Cs here.