Peter A Clarke

Data breaches come in a variety of forms. The theft of personal information through cyber attacks by criminal gangs are widely reported but are less frequent than other, more prosaic, data breaches. Such as the recent breach of data by Hungry Jacks of its staffs personal information. This involved someone in the chain’s training and communication section sending out a spreadsheet containing staff personal information; names, email addresses, job titles etc. The story is reported in the Sydney Morning Herald’s Personal data of ‘thousands’ of Hungry Jack’s staff exposed in internal leak. This is a depressingly familiar breach. And almost de rigeour for government agencies.  It bespeaks poor privacy training and data handling by staff.  For staff to attach a document containing personal information and sending it widely typically involves a poor review of the document itself and woeful Read the rest of this entry »

The ongoing political, legal and policy controversy following the Supreme Court decision in  Dobbs v. Jackson Women’s Health Organization (“Dobbs”) to overturn Roe v Wade continues to reverberate.  Including in the area of privacy law.  It should be noted that Roe v Wade was in essence a privacy decision.  The majority opinion written by Justice Harry A. Blackmun, the Court held that a set of Texas statutes criminalizing abortion in most instances violated a constitutional right to privacy, which it found to be implicit in the liberty guarantee of the due process clause of the Fourteenth Amendment (“…nor shall any state deprive any person of life, liberty, or property, without due process of law”).   Roe was a controversial decision politically, and increasingly so, but also a decision that attracted significant debate within the legal community.  The pillars of a constitutional right to privacy are enumerated provision of the Bill of Rights.  

The response to Dobbs at the Federal level by the Executive has been to strengthen the privacy controls on the collection, use and sharing of health information. Yesterday the White House announced, through the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) a Rule entitled HIPAA Privacy Rule to Support Reproductive Health Care Privacy.

Under the Rule there will be a prohibition on Read the rest of this entry »

The APRA will apply to businesses:

• subject to the authority of the Federal Trade Commission (“FTC”),
• common carriers, and
• nonprofits
• businesses that process covered data⁵ on behalf of or at the direction of Covered Entitie

APRA will:

• impose obligations to minimize processing of covered data and apply reasonable data security measures.
•  impose heightened obligations on high-impact social media companies and large data holders.
• create uniform data privacy rights including the right to:
  • opt out of targeted advertising
  • view, correct, export or delete their data.
  • increased transparency by mandating the inclusion of specific information on data processing, retention, transfers to third parties, security practices, and consumers’ rights in their public facing privacy policies.
• impose on Covered Entities and Service Providers, the APRA would impose additional obligations on high-impact social media companies and large data holders.
• impose heightened transparency obligations on “large data holders,” defined as Covered Entities or Service Providers that had a gross revenue of at least USD 250 million in the most recent calendar year and collected, processed, retained or transferred:
  • the covered data of over 5 million individuals; 15 million portable devices that identify, or are linked or reasonably linkable to one or more individuals; and 35 million connected devices that identify, or are linked or reasonably linkable to one or more individuals; or
  • the sensitive data of over 200 thousand individuals; 300 thousand portable devices that identify, or are linked or reasonably linkable to one or more individuals; and 700 thousand connected devices that identify, or are linked or reasonably linkable to one or more individuals.
• require large data holders to

Read the rest of this entry »

There are mandatory data breach notification laws in all 50 states of the United States of America. There has been occasional attempts to enact comprehensive privacy legislation at a Federal level. There is the 1974 Privacy Act which established a Code of Fair Information Practice on federal agencies. The result has been limited and generally sector specific legislation at the Federal level. There may be a change on the horizon with a bill being introduced for an American Privacy Rights Act 2024 (“APRA”) by House of Representatives members Cathy McMorris Rodgers (R-WA) and Senator Maria Cantwell (D-WA)

The APRA will apply to businesses:

• subject to the authority of the Federal Trade Commission (“FTC”),
• common carriers, and
• nonprofits
• businesses that process covered data⁵ on behalf of or at the direction of Covered Entitie

APRA will:

• impose obligations to minimize processing of covered data and apply reasonable data security measures.
•  impose heightened obligations on high-impact social media companies and large data holders.
• create uniform data privacy rights including the right to:
  • opt out of targeted advertising
  • view, correct, export or delete their data.
  • increased transparency by mandating the inclusion of specific information on data processing, retention, transfers to third parties, security practices, and consumers’ rights in their public facing privacy policies.
• impose on Covered Entities and Service Providers, the APRA would impose additional obligations on high-impact social media companies and large data holders.
• impose heightened transparency obligations on “large data holders,” defined as Covered Entities or Service Providers that had a gross revenue of at least USD 250 million in the most recent calendar year and collected, processed, retained or transferred:
  • the covered data of over 5 million individuals; 15 million portable devices that identify, or are linked or reasonably linkable to one or more individuals; and 35 million connected devices that identify, or are linked or reasonably linkable to one or more individuals; or
  • the sensitive data of over 200 thousand individuals; 300 thousand portable devices that identify, or are linked or reasonably linkable to one or more individuals; and 700 thousand connected devices that identify, or are linked or reasonably linkable to one or more individuals.
• require large data holders to

Read the rest of this entry »

If there is any doubt about the value of health data and the importance of maintaining strict security look no further than the Federal Trade Commission’s (“FTC”) action against Monument Inc, a New York based alcohol addiction center for selling its users personal health data to, amongst others, Meta and Google without their consent. Under the agreed consent order Monument is banned from disclosing health data for advertising and must obtain consent before sharing for any other purpose. That however is only the tip of a very big administrative iceberg that Monument has to navigate around.  The FTC, as per its usual practice, has set down obligations for implementing procedures and taking action and being monitored by an assessor.  The enforceable undertakings are far better drafted and more encompassing that those, few, undertakings issued by the Information Commissioner.  They are useful to read because they contain clauses that could be incorporated into contracts, terms of settlement and, perhaps if the Information Commissioner became more active, the regulator could use.

The statement from the FTC provides:

The Federal Trade Commission has taken action against an alcohol addiction treatment service for allegedly disclosing users’ personal health data to third-party advertising platforms, including Meta and Google, for advertising without consumer consent, after promising to keep such information confidential.

As part of a proposed order settling the FTC allegations, New York-based Monument, Inc. will be banned from disclosing health information for advertising and must obtain users’ affirmative consent before sharing health information with third parties for any other purpose. Read the rest of this entry »

On 2 April 2024 Diabetes WA announced a data breach in a quite cryptic statement. It refers to “some of our contacts” which covered names, addresses and medical number and type of diabetes, amongst other information. Diabetes WA recommend getting replacement Medicare card numbers. It is reported by itnews with Diabetes WA reveals data breach. The breach occurred through a compromised account and Diabetes WA believe the breach involved those persons using the telehealth services.  Even with a limited attack the data available to the intruder was significant.

Data Breach today reports in Health Data Thefts Keep Coming; Millions Affected in 2024 that the US Department of Health and Human Services had 174 health data breaches in the USA involving 16.6 million individuals since the beginning of this year.

Health remains a key focus for attackers because health services collect and store vast troves of personal information.  That said, the level of complacency by hospitals and health services is quite high and the willingness to spend on proper data security, quite low.

The Diabetes WA notification provides:

Diabetes WA recently experienced a cyber incident, which resulted in a third-party gaining access to the personal information of some of our contacts.

This breach was quickly detected and fully contained. It is under investigation through Diabetes WA’s Cyber Security Response Plan.

We can confirm that no detailed medical records or detailed clinical information were accessed.

Diabetes WA has sent a communication to all affected individuals of this incident.  We have also notified the Office of the Australian Information Commissioner of this incident.

Based on our investigation, we understand that personal information may have been affected by the incident including the following details:

Name –  Address – DOB – Email – Telephone number – Marital Status – Aboriginal Status – Medicare Number – Referring doctor – Type of diabetes

We have taken decisive action to protect data we hold in this cyber incident and will further reinforce our technology security measures to protect us from potential future attacks.

The itnews report on the Diabetes WA data breaches Read the rest of this entry »

The ever expanding story of a senior Tory getting caught up in a sexting scandal and sharing private phone numbers highlights the dangers and impacts of spear phishing and the breach of privacy in passing on confidential phone numbers. The Times and others report that a Senior Tory MP in the UK, William Wragg, gave out personal phone numbers because he was compromised in a honeytrap. The result was that at least 12 people received unsolicited Whats App messages. The Times has run a series of stories on this leading off with Senior Tory admits leaking MPs phone numbers in honeytrap sext scandal. It seems that Wragg was compromised by someone he met on Grindr, a gay dating app. He appears to be a victim of spear phising which is helpfully described by the Times here.

Recent data breaches have focused on cyber attacks and malware.  But someone disclosing personal information belonging to other people without their consent or relevant to the purpose for which it was created is a data breach.  In this case it involved private contact details.  The circumstances surrounding why the information was Read the rest of this entry »