Peter A Clarke

Health services, especially hospitals, are a prime target for cyber attackers.  The defences are usually weak and the responses confused. The target of the attack is personal information but ransomware is a common method of extorting payment.  But ransomware attacks can have dramatic consequences.  The National Health Service in England has linked a ransomware attack in June 2024 on pathology laboratory services provider Synnovis as a contributing factor to the death of a patient. One of the contributing factors that led to the patient’s death was a long wait for a blood test result due to the cyberattack.

A Russian-speaking ransomware group Qilin claimed responsibility for the attack, which triggered a nationwide shortage of type O-negative blood. The attack disrupted Synnovis’ ability to perform a host of services, including blood testing, leading to the cancellation or postponement of 10,152 acute outpatient appointments and 1,710 elective procedures at the most affected NHS trusts – London’s King’s College Hospital and Guy’s and St. Thomas hospitals. It has been reported by the BBC in Ransomware attack contributed to patient’s death.

This is not the first fatality linked to a ransomware attack. In 2020 a patient in Germany died died during a cyber attack of a hospital in Dusseldorf. Wired has an excellent article regarding that very tragic event.

The BBC article Read the rest of this entry »

There is a continuous changes to privacy related legislation in the Europe and many states of the United States of America. The UK has just made its changes to such legislation, on 19 June to be exact, after passing both the House of Commons and the House of Lords on 11 June 2025. Australia completed the first tranche of privacy reforms on 10 December 2025.  

The amendments to the UK GDPR and Data Protection Act 2018 include:

• providing a revised legal definition of ‘recognised legitimate interests’,  which are more narrow and public sector focused and sets out a list of bases for processing personal data.  The Secretary of Sate can amend the list.
• clearer provisions regarding the meaning of legitimate interest with references to direct marketing,  transmission of personal data for internal administration purposes, and what processing is necessary to ensure the security of network and information systems.
• providing the Secretary of State with power to designate additional special categories of personal data and additional processing categories under special category data.
• a revised scientific research definition.
• an expanded provision on the meaning of further processing and what constitutes compatible processing.
• narrowing the prohibition on automated decision-making.
• providing specific provisions regarding children’s “higher protection matters”, with a need to take account of the same when providing information society services that are likely to be accessed by children.
• codifying the data protection test for assessing adequacy of third countries or international organisations
• specifying that exporters of personal data should act reasonably and proportionately when making transfers subject to appropriate safeguards.
• codifying the existing ICO guidance that organisations need to conduct reasonable and proportionate searches when responding to data subject access requests.
• adjusting transparency requirements when it is impossible or involves disproportionate effort to inform data subjects of further processing for research purposes.
• provisions establishing smart data schemes and digital verification services.
•  provisions relating to:
  • online safety research and data retention,
  • national security,
  • intelligence service and law enforcement use of data,
  • National Underground Asset
  • Births and Deaths registers,
  • information standards for health and social care,
  • smart meters; and
  • overseas trust services.

Read the rest of this entry »

The Australian Competition and Consumer Commission has fined the National Australia Bank (“NAB”) $751,200 for breaches of the Consumer Data Right Rules. The Rules are relatively recent legislative provisions which are designed to be a secure, safe and easy to use means of sharing data with an accredited provider via Consumer Data Right. Through the CDR Rules data should be securely transferred from an existing provider.

The ACCC media release provides:

National Australia Bank Limited (NAB) has paid penalties totalling $751,200 after the ACCC issued it with four infringement notices for alleged contraventions of the Consumer Data Right (CDR) Rules.

The infringement notices relate to alleged failures by NAB to disclose, or accurately disclose, credit limit data in response to four separate requests made by different CDR accredited providers on behalf of consumers.

The CDR is an economy-wide data sharing program that empowers Australians to leverage the data businesses hold about them for their own benefit. Read the rest of this entry »

It was not all that long ago that data breaches involved personal information of thousands of people. That quickly escalated to hundreds of thousands with the occasional big breach hitting the million mark. Now data breaches involving tens of millions and beyond are quite common. Hackers previously attacked one site at the time and exfiltrated data, often to the dark web, Now multiple co ordinated attacks are becoming standard practice. Such as with the hacking of multiple superannuation sites in Australia. The ABC, amongst others, reports that 16 billion logins for sites such as Google and Facebook have been leaked and compiled on line.  Bleeping Computer in No, the 16 billion credentials leak is not a new data breach has concluded that the publication of this vast trove of data was in fact a compilation of previously stolen credentials by infostealers. In a sense it doesn’t matter.  The data was stolen and whether that occurred very recently or over a longer period the fact that data remains at large is hugely embarrassing on an ongoing basis for those who held the logins and a problem for those who used those log ins.  It highlights the need to have proper data security to start with. 

The ABC article provides:

Billions of login credentials have been leaked and compiled into datasets online, giving criminals “unprecedented access” to accounts, according to new research from a cybersecurity publication.

The research from Cybernews revealed that a total of 16 billion credentials were compromised, including user passwords for Google, Facebook and Apple.

The report said the 30 exposed datasets each contained a vast amount of login information and the leaked information did not span from a single source, such as one breach targeting a company. Read the rest of this entry »

Since the Genomic testing company 23andMe filed for bankruptcy (and even before then) it has been consistently in the news. There was profound concern about genetic data of millions of people being potentially sold to third parties in any liquidation. The initial calls for customers to retrieve their data escalated to litigation against 23andMe. As it turned out the co founder and former CEO has purchased nearly all of the company assets for $305 million through a non profit TTAM Research Institute. The problems with 23andMe predate its financial woes. The UK Information Commissioner’s Office has recently issued a fine of $305 million pounds against the company for filing to implement appropriate security measures following a cyber attack in 2023. The ICO and the Canadian Privacy Commissioner undertook a combined investigation into 23andMe’s systems.  

The media release provides:

We have fined genetic testing company 23andMe £2.31 million for failing to implement appropriate security measures to protect the personal information of UK users, following a large-scale cyber attack in 2023.

The penalty follows a joint investigation conducted by the ICO and the Office of the Privacy Commissioner of Canada.

What happened

Between April and September 2023, a hacker carried out a credential stuffing attack on 23andMe’s platform, exploiting reused login credentials that were stolen from previous unrelated data breaches.

This resulted in the unauthorised access to personal information belonging to 155,592 UK residents, potentially revealing names, birth years, self-reported city or postcode-level location, profile images, race, ethnicity, family trees and health reports. The type and amount of personal information accessed varied depending on the information included in a customer’s account.

Our investigation found that 23andMe did not have additional verification steps for users to access and download their raw genetic data.

John Edwards, UK Information Commissioner, said:

“This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions of thousands of people in the UK. As one of those impacted told us: once this information is out there, it cannot be changed or reissued like a password or credit card number.

“23andMe failed to take basic steps to protect this information. Their security systems were inadequate, the warning signs were there, and the company was slow to respond. This left people’s most sensitive data vulnerable to exploitation and harm.

“We carried out this investigation in collaboration with our Canadian counterparts, and it highlights the power of international cooperation in holding global companies to account. Data protection doesn’t stop at borders, and neither do we when it comes to protecting the rights of UK residents.”

Philippe Dufresne, Privacy Commissioner of Canada, said:

“Strong data protection must be a priority for organisations, especially those that are holding sensitive personal information. With data breaches growing in severity and complexity, and ransomware and malware attacks rising sharply, any organisation that is not taking steps to prioritise data protection and address these threats is increasingly vulnerable.

“Joint investigations like this one demonstrate how regulatory collaboration can more effectively address issues of global significance. By leveraging our combined powers, resources, and expertise, we are able to maximise our impact and better protect and promote the fundamental right to privacy of individuals across jurisdictions.”

Summary of the contraventions

The joint investigation into 23andMe revealed serious security failings at the time of the 2023 data breach. The company breached UK data protection law by failing to implement appropriate authentication and verification measures, such as mandatory multi-factor authentication, secure password protocols, or unpredictable usernames. It also failed to implement appropriate controls over access to raw genetic data and did not have effective systems in place to monitor, detect, or respond to cyber threats targeting its customers’ sensitive information.

23andMe’s response to the unfolding incident was inadequate. The hacker began their credential stuffing attack in April 2023, before carrying out their first period of intense credential stuffing activity in May 2023. In August 2023, a claim of data theft affecting over 10 million users was dismissed as a hoax, despite 23andMe having conducted isolated investigations into unauthorised activity on its platform in July 2023. Another wave of credential stuffing followed in September 2023, but the company did not start a full investigation until October 2023, when a 23andMe employee discovered that the stolen data had been advertised for sale on Reddit. Only then did 23andMe confirm that a breach had occurred.

By the end of 2024, the security improvements made by 23andMe were sufficient to bring an end to the breaches identified in our provisional decision.

You can read the full details of the incident in our monetary penalty notice.

Impact on consumers

The combination of personal information that could be found in 23andMe accounts, such as post codes, race, ethnic origin, familial connections, and health data could potentially be exploited by malicious actors for financial gain, surveillance or discrimination. The ICO received 12 complaints from consumers. Some of the people affected by the breach told us the following:

“I expected rigorous privacy controls to be in place due to the nature of the information collected. Unlike usernames, passwords and e-mail addresses, you can’t change your genetic makeup when a data breach occurs.”

“Disgusted that my DNA data could be out there in the wild and been exposed to bad actors. Extremely anxious about what this could mean to my personal, financial and family safety in the future. Anxious about my 23andme connections, who may have been impacted and what this may mean further down the line for me.”

Legal requirements and our guidance

The law requires organisations to take proactive steps to protect themselves against cyber attacks. Our guidance recommends using two-factor or multi-factor authentication wherever possible, particularly when sensitive personal information is being collected or processed. In addition, organisations should regularly scan for vulnerabilities and instal the latest security patches without delay.

We have detailed guidance to help organisations understand their security obligations. Last year we published a cyber report, Learning from the mistakes of others, providing insights for people responsible for compliance with data protection legislation and cyber security at their organisation.

Advice for the public

The responsibility to keep people’s information secure lies first and foremost with companies that collect and use personal information, and they have a legal duty to take this responsibility seriously.

But there are also steps people can take to protect their personal information, for example: use strong, unique passwords for each account; enable multi-factor authentication wherever possible; and remain vigilant against phishing emails or messages that reference personal or genetic information.

The regulatory structure applying in the United Kingdom differs from Australia, sometimes quite significantly.  That said, both have similar approaches when it comes to reviewing and, where appropriate, penalising breaches of security.  It is therefore relevant to consider Penalty Notices issued by the ICO.  The ICO has had longer and more comprehensive history in issuing Penalty Notices and a developed methodology. The number of Enforceable Undertakings in Australia has been relatively modest and are not nearly as comprehensive as the United Kingdom and the United States of America. That is likely to change over time with the increased powers and size of penalties under the Privacy Act 1988. 

The Penalty Notice is 153 pages long.  It is one of the most detailed written assessment of the failures but also, very helpfully, what is best practice.  It is a very useful resource.  The relevant takeaways Read the rest of this entry »

Today kicks off Privacy Awareness Week for 2025. The Privacy Commissioner has published rights under the Privacy Act 1988 which includes material on Australian Privacy Principles and Privacy guidances. The Victorian Information Commissioner has published a page on Privacy Awareness Week.

By far and away the most targeted sites for hackers are health organisations, hospitals and health insurers. Those bodies hold vast troves of personal information and traditionally have weak cyber protection.

Senate Bill 1851 is the Healthcare Cybersecurity Act of 2025. It directs the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS) to collaborate and work with healthcare to provide guidance and training on cybersecurity issues. It also directs the CISA to establish criteria to determine whether a covered asset may be designated as a high-risk covered asset.  This criteria is taken from the Critical Infrastructure Protection Act. Australia also has a critical infrastructure legislation.

The press release provides:

WASHINGTON – U.S. Senators Todd Young (R-Ind.) and Jacky Rosen (D-Nev.) introduced the Healthcare Cybersecurity Act to bolster the health care and public health sectors’ cybersecurity. The bill would direct the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS) to collaborate on improving cybersecurity and make resources available to non-federal entities relating to cyber threat indicators and appropriate defense measures. It would also create a special liaison to HHS from CISA to support cybersecurity for health care and public health sector entities. Read the rest of this entry »

After many decades and multiple reports from the Australian Law Reform Commission, Victorian Law Reform Commission, the New South Wales Law Reform Commission, the Australian Competition and Consumer Commission, from the Federal and State Parliaments Australia now has a tort of serious invasion of privacy.

The tort was enacted by the Privacy and Other Legislation Amendment Act 2024 (Cth).

Under the  tort, a plaintiff will be able to establish a cause of action if:

1. there has been a serious invasion of the plaintiff’s privacy, either by:
   • an intrusion upon the plaintiff’s seclusion.  This includes  a defendant watching or eavesdropping on the plaintiff; or
   • a misuse of the plaintiff’s personal information;
2. the plaintiff had a reasonable expectation of privacy ;
3. the invasion of privacy was intentional or reckless;
4. the invasion of privacy was serious; and
5. the public interest in the plaintiff’s privacy outweighs any countervailing public interest. “Countervailing public interests” include freedom of expression, freedom of the press and public health and safety.

The tort is actionable per se. The plaintiff does not Read the rest of this entry »

Tomorrow the statutory tort of serious invasion of privacy will take effect across all jurisdictions in Australia.  The tort was passed throught the Privacy and Other Legislation Amendment Bill 2024.  The tort is inserted through Schedule 2 of the Privacy Act 1988 (Cth) and recognises two primary forms of invasion; intrusion upon seclusion and misuse of private information.  

It is hardly news anymore that health service providers, especially hospitals are key targets for cyber attacks. That is reinforced by an article titled Ransomware group Gunra claims to have exfiltrated 450 million patient records from American Hospital Dubai by removing Read the rest of this entry »