November 9, 2023
The 12 hour collapse of Optus’s services showed that it has learnt little on how to respond to a catastrophic event, at least in talking to its customers. Optus executives effectively made themselves into a ball and hoped 10 million customers were happy to have the day off. The by product of this major fail was the reports about how it has not learnt from its data breach fiasco where the information flow was slow and sparse. The Australian’s article Has Optus learned from the cyberattack playbook? is fairly typical. It is quite amusing to read columnists lately stumble upon this basic need to be transparent with customers.
The thing is that issuing statements of bad news following a data breach has become a sophisticated exercise in the United States and should be treated seriously in Australia. Unfortunately it isn’t. I have been writing on the importance of Read the rest of this entry »
Posted in General
|
Post a comment »
November 2, 2023
The Health Industry is notorious for its data breaches. In Australia, United States, the United Kingdom and Europe. It us a chronic problem with many causes; dreadful culture, especially amongst medical staff, poor systems, poor training, large numbers of staff with many ways of accessing data and such a rich load of personal information concentrated on one system. The information we are expected to provide to doctors, hospitals, ambulance providers, respite centers..the list goes on. In many cases the information is sufficiently broad and detailed to commit identity theft. The Age reports in ‘Curious’ pharmacist spied on patient records at The Alfred that an employed pharamacist accessed the personal information of 7,000 patients over a 4 year period without authorisation. That access included viewing the records of fellow staff members. This is a depressingly common occurence, which I post on regularly such as August last year with Health advisor in the UK fined for unlawfully accessing patient records. And in NSW such conduct resulted in a nurse having her registration cancelled. and UK Information Commissioner prosecutes unauthorised access to personal information..part of a growing problem just by way of example. The Guardian reported last year that 24 UK doctors were censured in a 5 year period for medical record breaches. Earlier this week Ontario hospitals suffered a data breach as a result of a cyber attack. That data breach was caused by a ransomware group Daixin team and it is leaking the data. Last Friday a Medibank owned health insurer, ahm, had to take down its online insurance quote form because personal information entered by one person was made available to another when the latter tried to fill out the form.
The Alfred Health released a statement today about the privacy breach. There is not too much in the way of good corporate citzenry involved in this release. The investigation began in June. The pharmacist was subsequently sacked.
The Alfred Health’s statement provides:
Alfred Health chief executive Prof Andrew Way has issued a written apology to more than 7000 patients after their medical records were viewed by a healthcare worker while not directly involved in their care.
Prof Way said accessing patient information without a direct clinical reason is a breach of privacy and completely unacceptable.
“We deeply value the relationship we have with our patients, and the trust they put in us, and we unreservedly apologise for the healthcare worker’s misconduct,” Prof Way said.
“We have written to every patient whose medical record was accessed without authority, and we have invited them to call our dedicated hotline if they would like additional information or support.”
While cybersecurity experts reviewing the privacy-matter found no evidence of download or use of patient information, the former worker’s behaviour was a fundamental breach of professional standards.
“What began as healthcare worker’s legitimate professional access to the electronic medical records system morphed to include access for personal curiosity,” he said.
“As soon as this behaviour was confirmed, we terminated their employment and referred the matter to both the Australian Health Practitioner Regulation Agency (Ahpra) and the Australian Digital Health Agency.”
There is no evidence the, now, former employee kept a copy of any data, shared data online or otherwise misused patient data.
The health service is looking at whether there is technology available to improve the detection of unusual behaviour in the electronic medical record system, while still ensuring seamless access for time critical patient care. ?
The last sentence is the most apt, having technology and systems to improve detection of unusual behaviour. Of course there are such programs and of course they operate in the health sector. That it took the Alfred 4 years to detect unusual behaviour, Read the rest of this entry »
Posted in Privacy
|
Post a comment »