Medical data breaches hit medical industry in Australia and overseas

May 17, 2024

The Health Industry is a keen target for cyber attacks. Hospitals, medical surgeries and health industry organisations collect vast amounts of personal and financial information on the one hand. On the other, the industry is notoriously prone to attack. In the United States Singing River Health System has been hacked with the records of 895,000 stolen while an attack on Ascension has resulted in Ambulances being diverted and EHRs taken off line. But it is Australia where one of the most significant attacks in the health industry has occurred. There has been a data breach at Medisecure, a company which provides electronic prescriptions and monitoring. There is good coverage by the Australian Financial Review which puts this attack in the context of large scale data breaches in Australia in the last year or so.

Given that Medisecure, a name that is deeply ironical today, is the only accredited electronic provider of prescription this is a potentially disastrous development. 

As per usual in the Australian environment MediSecure has released a very brief (non) statement which provides:

MediSecure has identified a cyber security incident impacting the personal and health information of individuals. We have taken immediate steps to mitigate any potential impact on our systems.

While we continue to gather more information, early indicators suggest the incident originated from one of our third-party vendors.

MediSecure takes its legal and ethical obligations seriously and appreciate this information will be of concern. MediSecure is actively assisting the the National Cyber Security Coordinator to manage the impacts of the incident. MediSecure has also notified the Office of the Australian Information Commissioner and other key regulators.

MediSecure understands the importance of transparency and will provide further updates via our website as soon as more information becomes available. We appreciate your patience and understanding during this time.

While most of the statement is pap what is relevant is that the breach came through a third party vendor.  That is a common entrepot for major data breaches.  Many organisations have not properly grappled with ensuring that third party operators which authorisations and access rights to their Read the rest of this entry »

The Federal Government announces the appointment of a new Information Commissioner, starting on 16 August 2024

May 13, 2024

The Attorney General has announced the appointment of Elizabeth Tydd as Information Commissioner. It is an internal appointment, uplifting Tydd from Freedom of Information Commissioner to the top job. It is too early to say whether that is an inspired choice or not.  It is probably a safe choice.  But there is a very good argument to be made for the regulator to have an outsider to take the helm and adopt a more assertive stance, such as Sims did at the ACCC.  Australian Information Commissioners have been worthy, decent and quite conservative.  Compared to regulators in the UK, Europe and the US the Information Commissioner’s work rate is low.

The Government’s announcement Read the rest of this entry »

Bill(s) to amend Privacy Act 1988 to be introduced into Federal Parliament in August 2024.

May 8, 2024

Innovation Aus reports, in Privacy bill to come before Parliament in August, that the long mooted, eagerly awaited and desperately needed amendments to the Privacy Act will be introduced into Federal Parliament At the recent Privacy By Design awards the Attorney General speak generally about the need for reform but gave no specifics.

The Innovation Article provides:

Legislation for a long-awaited overhaul of Australia’s outdated privacy laws will be introduced to Parliament in less than four months, rounding out a policy reform process that has been more than four years in the making.

Prime Minister Anthony Albanese announced the timeline last Wednesday, although limited his comments to the introduction of anti-doxxing laws — a recent focus for the federal government.

On Thursday, Attorney-General Mark Dreyfus said that legislation to “overhaul the Privacy Act and protect Australians from doxxing” would be introduced by the government in August.

He reiterated that the current privacy regime is “woefully outdated and unfit for the digital age”, with “speed of innovation and the rise of artificial intelligence” only making the need for legislative change more important.

A spokesperson for Mr Dreyfus on Monday confirmed to InnovationAus.com that the legislation will address the entirety of the government’s response to the Privacy Act Review.

The legislation will institute all proposals that the government agreed to in its response to the review in September 2023, but it is not yet clear how many of the in-principle proposals will be included.

The government is expected to continue to consult on proposed reforms until the laws are introduced, although it has not been determined if draft exposure legislation will be released before the bill is tabled. Read the rest of this entry »

US Federal Communications Commission fines AT&T, SPRINT, T-MOBILE, AND VERIZON a total of 200 million for sharing location data

May 1, 2024

Location data is very valuable when combined with other data.  It is important in its own right.  The data relates in individuals so is privacy intrusive if provided to third parties without consent.  The sharing without consent was a practice by large US carriers.  Until now.  The Federal Communications Commission (“FCC”) has fined the largest carries in the USA for sharing location data. The fines were:

  • Sprint $12 million 
  • T-Mobile $80 million
  •  AT&T  $57 million, and
  • Verizon  $47 million

The FCC media release provides:

WASHINGTON, April 29, 2024—Today, the Federal Communications Commission fined the nation’s largest wireless carriers for illegally sharing access to customers’ location information without consent and without taking reasonable measures to protect that information against unauthorized disclosure.  Sprint and T-Mobile – which have merged since the investigation began – face fines of more than $12 million and $80 million, respectively.  AT&T is fined more than $57 million, and Verizon is fined almost $47 million.

“Our communications providers have access to some of the most sensitive information about us.  These carriers failed to protect the information entrusted to them. Here, we are talking about some of the most sensitive data in their possession: customers’ real-time location information, revealing where they go and who they are,” said FCC Chairwoman Jessica Rosenworcel.  “As we resolve these cases – which were first proposed by the last Administration – the Commission remains committed to holding all carriers accountable and making sure they fulfill their obligations to their customers as stewards of this most private data.” Read the rest of this entry »

Qantas suffers data breach through a hack of its app

Qantas has suffered a data breach involving its mobile phone app. Apps are notoriously vulnerable, usually because organisations commonly sacrifice building in proper security in the rush to release a shiny new app. The data breach involving the Qantas app was that frequent flyers using the app could access other people’s accounts. A possible cause of the data breach is a fault occurring because of recent system changes.

The Australian covers the Read the rest of this entry »

Hungry Jacks has data breach involving personal information of thousands of staff

April 24, 2024

Data breaches come in a variety of forms. The theft of personal information through cyber attacks by criminal gangs are widely reported but are less frequent than other, more prosaic, data breaches. Such as the recent breach of data by Hungry Jacks of its staffs personal information. This involved someone in the chain’s training and communication section sending out a spreadsheet containing staff personal information; names, email addresses, job titles etc. The story is reported in the Sydney Morning Herald’s Personal data of ‘thousands’ of Hungry Jack’s staff exposed in internal leak. This is a depressingly familiar breach. And almost de rigeour for government agencies.  It bespeaks poor privacy training and data handling by staff.  For staff to attach a document containing personal information and sending it widely typically involves a poor review of the document itself and woeful Read the rest of this entry »

The US Executive promulgate amendments to the HIPAA Privacy Rule on reproductive healthcare

The ongoing political, legal and policy controversy following the Supreme Court decision in  Dobbs v. Jackson Women’s Health Organization (“Dobbs”) to overturn Roe v Wade continues to reverberate.  Including in the area of privacy law.  It should be noted that Roe v Wade was in essence a privacy decision.  The majority opinion written by Justice Harry A. Blackmun, the Court held that a set of Texas statutes criminalizing abortion in most instances violated a constitutional right to privacy, which it found to be implicit in the liberty guarantee of the due process clause of the Fourteenth Amendment (“…nor shall any state deprive any person of life, liberty, or property, without due process of law”).   Roe was a controversial decision politically, and increasingly so, but also a decision that attracted significant debate within the legal community.  The pillars of a constitutional right to privacy are enumerated provision of the Bill of Rights.  

The response to Dobbs at the Federal level by the Executive has been to strengthen the privacy controls on the collection, use and sharing of health information. Yesterday the White House announced, through the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) a Rule entitled HIPAA Privacy Rule to Support Reproductive Health Care Privacy.

Under the Rule there will be a prohibition on Read the rest of this entry »

Privacy Rights Act introduced into the US House of Representatives. Possible Federal Privacy Act

April 23, 2024

There are mandatory data breach notification laws in all 50 states of the United States of America. There has been occasional attempts to enact comprehensive privacy legislation at a Federal level. There is the 1974 Privacy Act which established a Code of Fair Information Practice on federal agencies. The result has been limited and generally sector specific legislation at the Federal level. There may be a change on the horizon with a bill being introduced for an American Privacy Rights Act 2024 (“APRA”) by House of Representatives members Cathy McMorris Rodgers (R-WA) and Senator Maria Cantwell (D-WA)

Read the rest of this entry »

The APRA will apply to businesses:

  • subject to the authority of the Federal Trade Commission (“FTC”),
  • common carriers, and
  • nonprofits
  • businesses that process covered data5 on behalf of or at the direction of Covered Entitie

APRA will:

  • impose obligations to minimize processing of covered data and apply reasonable data security measures.
  •  impose heightened obligations on high-impact social media companies and large data holders.
  • create uniform data privacy rights including the right to:
    • opt out of targeted advertising
    • view, correct, export or delete their data.
    • increased transparency by mandating the inclusion of specific information on data processing, retention, transfers to third parties, security practices, and consumers’ rights in their public facing privacy policies.
  • impose on Covered Entities and Service Providers, the APRA would impose additional obligations on high-impact social media companies and large data holders.
  • impose heightened transparency obligations on “large data holders,” defined as Covered Entities or Service Providers that had a gross revenue of at least USD 250 million in the most recent calendar year and collected, processed, retained or transferred:
    • the covered data of over 5 million individuals; 15 million portable devices that identify, or are linked or reasonably linkable to one or more individuals; and 35 million connected devices that identify, or are linked or reasonably linkable to one or more individuals; or
    • the sensitive data of over 200 thousand individuals; 300 thousand portable devices that identify, or are linked or reasonably linkable to one or more individuals; and 700 thousand connected devices that identify, or are linked or reasonably linkable to one or more individuals.
  • require large data holders to

Read the rest of this entry »

Alcohol addiction treatment firm caught by Federal Trade Commission disclosing health data for advertising…

April 12, 2024

If there is any doubt about the value of health data and the importance of maintaining strict security look no further than the Federal Trade Commission’s (“FTC”) action against Monument Inc, a New York based alcohol addiction center for selling its users personal health data to, amongst others, Meta and Google without their consent. Under the agreed consent order Monument is banned from disclosing health data for advertising and must obtain consent before sharing for any other purpose. That however is only the tip of a very big administrative iceberg that Monument has to navigate around.  The FTC, as per its usual practice, has set down obligations for implementing procedures and taking action and being monitored by an assessor.  The enforceable undertakings are far better drafted and more encompassing that those, few, undertakings issued by the Information Commissioner.  They are useful to read because they contain clauses that could be incorporated into contracts, terms of settlement and, perhaps if the Information Commissioner became more active, the regulator could use.

The statement from the FTC provides:

The Federal Trade Commission has taken action against an alcohol addiction treatment service for allegedly disclosing users’ personal health data to third-party advertising platforms, including Meta and Google, for advertising without consumer consent, after promising to keep such information confidential.

As part of a proposed order settling the FTC allegations, New York-based Monument, Inc. will be banned from disclosing health information for advertising and must obtain users’ affirmative consent before sharing health information with third parties for any other purpose. Read the rest of this entry »

Diabetes WA reveals significant data breach, one of many and increasing number of health data breaches worldwide

April 6, 2024

On 2 April 2024 Diabetes WA announced a data breach in a quite cryptic statement. It refers to “some of our contacts” which covered names, addresses and medical number and type of diabetes, amongst other information. Diabetes WA recommend getting replacement Medicare card numbers. It is reported by itnews with Diabetes WA reveals data breach. The breach occurred through a compromised account and Diabetes WA believe the breach involved those persons using the telehealth services.  Even with a limited attack the data available to the intruder was significant.

Data Breach today reports in Health Data Thefts Keep Coming; Millions Affected in 2024 that the US Department of Health and Human Services had 174 health data breaches in the USA involving 16.6 million individuals since the beginning of this year.

Health remains a key focus for attackers because health services collect and store vast troves of personal information.  That said, the level of complacency by hospitals and health services is quite high and the willingness to spend on proper data security, quite low.

The Diabetes WA notification provides:

Diabetes WA recently experienced a cyber incident, which resulted in a third-party gaining access to the personal information of some of our contacts.

This breach was quickly detected and fully contained. It is under investigation through Diabetes WA’s Cyber Security Response Plan.

We can confirm that no detailed medical records or detailed clinical information were accessed.

Diabetes WA has sent a communication to all affected individuals of this incident.  We have also notified the Office of the Australian Information Commissioner of this incident.

Based on our investigation, we understand that personal information may have been affected by the incident including the following details:

Name –  Address – DOB – Email – Telephone number – Marital Status – Aboriginal Status – Medicare Number – Referring doctor – Type of diabetes

We have taken decisive action to protect data we hold in this cyber incident and will further reinforce our technology security measures to protect us from potential future attacks.

We recommend that those affected apply for a replacement Medicare card number from Services Australia. Your replacement card will have a new issue number and expiry date and your old card will no longer be valid. You can do this by:

    • Signing in to your myGov account, selecting “Get a Replacement” and following the prompts; or
    • Calling Services Australia on 132 011.

Some further steps you may consider taking to protect yourself include:

    • Be aware of emails and telephone calls from people requesting your personal details, (especially things like your date of birth, residential address, email address, username or passwords which are often used to verify your identity).
    • Contact IDCare on 1800 595 160 or visit www.idcare.org who can provide you with additional guidance on the steps you can take to protect yourself from identity fraud.
    • If you start to receive unwanted telemarketing calls, consider registering your number with the Australian Communications and Media Authority’s ‘Do Not Call register’ by visiting www.donotcall.gov.au/consumers/register-your-numbers You can also contact your service provider and request to change your number.

The itnews report on the Diabetes WA data breaches Read the rest of this entry »

Verified by MonsterInsights