Qld skin cancer study hit by data breach

Data from a skin cancer study by QIMR Berghofer Medical Research Institute has been involved in a cybersecurity breach.

The data processing company, Datatime — widely used by government, universities and businesses — reported the breach in November 2022 and affected individuals were contacted directly.

The 2021 QSKIN study focused on understanding how genes influence a person’s risk of disease and involved a mail-out to 9749 potential participants. The only information held by Datatime in relation to these individuals was their name and address.

A further 1128 participants completed the survey and returned their forms to Datatime. Their personal information, including name, address and Medicare number, may have been compromised as part of the breach.

No other information, including genetic data or other, was involved or held by Datatime.

QIMR Berghofer reported that the arrangement to use an external data company included a rigorous process to ensure the reputation and credentials of the provider met the highest security standards. Datatime is ISO accredited and compliant with the Privacy and Data Protection Act (2014). Datatime was responsible for the security and coding of identifiable and health information.

Once notified of the breach, QIMR Berghofer identified affected participants and contacted them directly by email in accordance with the recommendation of the Office of the Information Commissioner Queensland.

The participant notification included all information that was known and provided by Datatime, including a description of the data breach, the kinds of information that may have been compromised and the steps people could take to protect themselves.

“We are extremely sorry that participants of this study have been impacted by the third-party data breach,” a QIMR Berghofer spokesperson said.

“QIMR Berghofer takes these matters very seriously, which is why we only engage highly credentialed data processing entities such as Datatime.

“Security measures such as coding and separating responses to ensure confidentiality are typically used.”

Datatime advised QIMR Berghofer that it followed strict privacy protocols and notified the Office of Australian Information Commissioner to disclose the data breach. All relevant state and federal authorities, including the Australian Cyber Security Centre, Federal Police and federal government cyber experts, were also advised.

As part of QIMR Berghofer’s cybersecurity protocols, supplier accreditation requirements are being strengthened.

All research studies conducted by QIMR Berghofer researchers that involve the collection or use of personal information, including health information, are reviewed by the Human Research Ethics Committee registered with the National Health and Medical Research Council (NHMRC).

Image credit: iStock.com/LumerB