Significant data breach from Ambulance Tasmania through interception of its paging service with data of patients who contact ambulances published on line
January 8, 2021 |
Ambulance Tasmania has suffered a massive data breach. According to the ABC’s Tasmania Police called in after ambulance patient details published online personal information of every Tasmanian who called the Tasmanian Ambulance Service since November 2020 has been accessed and posted on line by a third party. The specific nature of the breach is unknown but it was to the paging system. What makes this breach so damaging is that the data accessed is sensitive information, relating to a person’s health status as well as that person/s age, gender and address.
What is both surprising and disturbing is that the data hacked from Ambulance Tasmania has been publicly visible since November last year.
What is less surprising is that it appears that previously deficiencies had been identified in the communications system and processes. That is quite a common situation. The problems are apparent but there is no incentive to attend to those problems because time and money can be spent elsewhere which provides more immediate benefit and the legal consequences of a data breach are small because the legislation is weak and the regulators are timid.
The Government response follows the dreary, obsolete path adopted by many Australian Government agencies of the responsible minister being concerned, referring the breach to the police, blandly claiming appropriate steps have been taken and, yes, it is concerning. That approach has been abandoned long ago by more sophisticated organisations overseas. Being pro active and providing more, rather than less, information is more helpful and promotes confidence than spouting meaningless bromides. Not surprisingly, but very disappointing nevertheless, Ambulance Tasmania has not issued any statement. Nor has the Department of Health. This, take cover and hope the story moves on approach, often increases reputational damage.
Tasmania has privacy related legislation, being the Personal Information Protection Act 2004. It is toothless legislation in terms of giving individuals any ability to seek redress. The best that can be done for a complain to the Ombudsman, section 21, who may advise that there has been a breach of the Act and make recommendations and give the advice to the responsible Minister.
The ABC piece provides:
The private details of every Tasmanian who has called an ambulance since November last year have been published online by a third party in a list still updating each time paramedics are dispatched.
Key points:
-
- Ambulance Tasmania uses a paging system in initial communications between the dispatch team and paramedics on the ground
- Pager messages dating back to November have been uploaded to a website, which is still live and continually updating
- The health union has described the data dump as “horrific”
The breach of Ambulance Tasmania’s paging system has been described as “horrific” by the Health and Community Services Union, which has suggested the data dump could leave the Government open to litigation.
Pager messages include patients’ personal details and condition as well as the address of the incident.
Information made public also includes a patient’s HIV status, gender and age, raising concerns it could lead to discrimination or stigmatisation.
“It’s unbelievable,” state secretary Tim Jacobson said.
“If I were a patient I’d be upset, I’d be concerned, and I would want to know immediately both what the Government has done about closing off this but also what the Government’s now doing or likely to do to address any real breaches of privacy for those patients.”
According to internal training materials, Ambulance Tasmania’s paging system is the primary method of initial communications between the agency’s communications centre and paramedics on the ground.
The website is more than 26,000 pages long and also details call-outs within the Tasmania Fire Service. It provides brief details on incidents, including mental health call-outs.
University of Tasmania privacy expert Joel Scanlan said most patients would expect their data would be kept private.
“I don’t think it’s overly surprising, we’ve seen a few similar paging systems have similar breaches,” he said.
The Tasmanian Government has committed more than half a billion dollars to upgrading the state’s ailing emergency communications network.
In December, acting premier Jeremy Rockliff announced Telstra had been awarded the contract to deliver the Tasmanian Government Radio Network, or TasGRN.
One action identified within the TasGRN project was the so-called Paging Project, which aimed to “replace critical end-of-life equipment and restore the paging network to a fit-for-purpose state”.
It is unclear if the breach is connected to the Paging Project changeover.
Mr Jacobson said the breach went to broader issues within Ambulance Tasmania.
In 2019, a report from consultancy firm IPM Consulting found more than half of the 39 work health and safety requirements that were assessed were non-compliant with Australian and New Zealand standards, and another 13 were only partially compliant.
“This breach tells an absolute story about the internal management systems and processes that are in place in Tasmania’s most critical services,” he said.
Data upload ‘referred to police’
In answer to the ABC’s questions, a Tasmanian Government spokesperson said: “Enquiries are currently being undertaken as to the legal basis of the site.”
“The site has gone off-line and work is being undertaken with the Australian Cyber Security Centre (ACSC) to pursue shutdown should it re-emerge.”
In a statement on Friday afternoon, Health Minister Sarah Courtney said she was “very concerned to hear that the sensitive information of some Tasmanians had been posted to a website”.
“After a discussion with the secretary of the Department of Health, Kathrine Morgan-Wicks, the matter of how this data interception from the Fire and Ambulance paging system has occurred has been referred to Tasmania Police.
“Appropriate steps have been taken by Ambulance Tasmania to limit the transmission of personal information via the paging system, balanced against the need to ensure patient and staff safety in responding to incidents is paramount.”
Ms Courtney said it was her “understanding that access to the site has been blocked”.
“I understand this may be distressing for those affected and I can assure Tasmanians that the Government is taking this matter incredibly seriously and I will take all necessary steps to protect the privacy of our patients.”
The story has also received coverage in the Examiner with ‘Shocking’ Ambulance Tasmania patient privacy breach referred to police which provides:
A massive privacy breach has rocked the state’s Health Department, with the revelation that the details of every Tasmanian who called an ambulance since November last year were made publicly available online.
Health Minister Sarah Courtney said the matter had been referred to Tasmania Police.
“I am very concerned to hear that the sensitive information of some Tasmanians had been posted to a website,” she said in a statement this evening.
“Appropriate steps have been taken by Ambulance Tasmania to limit the transmission of personal information via the paging system, balanced against the need to ensure patient and staff safety in responding to incidents.”
“This is an extremely concerning matter that will be further investigated, however I would like to reassure the Tasmanian community that it is safe to call 000 in an emergency and we have taken steps to safely respond to this situation.”
It’s understood access to the site where the data was posted has been blocked.
The data included the addresses of patients, their condition, HIV status, age and gender. It showed up on a website appearing to be serving as Ambulance Tasmania’s paging system, and was being updated in real-time.
It also included Tasmania Fire Service call-outs.
Health and Community Services Union state secretary Tim Jacobson said the website had been publicly visible “at least since November”.
“It’s absolutely shocking that there is information publicly available in terms of incidents and the health status of various individuals at various premises across the state,” he said.
“It’s horrific to even look at it.
“The state government are the holder of the information and they’re the organisation that seems to have released it, they have an obligation to report it and I’m not sure that that’s actually happened.”
Opposition health spokeswoman Sarah Lovell said the government needed to reveal how long it had known about the breach.
It’s absolutely shocking that there is information publicly available in terms of incidents and the health status of various individuals at various premises across the state.
Tim Jacobson, HACSU state secretary
“To be in a situation where you’re calling an ambulance in the first place is distressing enough, but then to have your personal details posted and kept up online for all this time is too much,” she said.
“What this says about the government’s under-investment in cuber security is seriously troubling. But what it says about the government’s disregard for the privacy of Tasmanians is even worse.”
Tasmanian Greens leader Cassy O’Connor said the breach was “inexcusable” and “an epic failure to protect the privacy of Tasmanians”.
“An urgent, rigorous investigation and absolute transparency from government is required,” she said. “We need to get to the bottom of not just how this breach occurred, but also how it remained undetected for so long.”