Health remains most breached sector; human errors rise by 43%

Health care remains the most breached sector, reporting around 18% of all notified data breaches, according to the Office of the Australian Information Commissioner’s (OAIC) latest report.

The Notifiable Data Breaches Report for July to December 2021 shows the OAIC received 464 data breach notifications during this period, an increase of 6% compared with the previous period.

The health sector notified of 83 data breaches, with providers reporting an equal number of breaches resulting from malicious or criminal attack and human error (47% each).

The OAIC is urging organisations to put accountability at the centre of their information handling practices.

Australian Information Commissioner and Privacy Commissioner Angelene Falk said doing so would give individuals greater confidence that their personal information will be handled fairly and securely when they engage with an organisation.

Malicious or criminal attacks remain the leading source of breaches, accounting for 256 notifications (55% of the total), down 9% in number from 281. There was a significant rise in breaches due to human error, increasing by 43% to 190, after a dip in the previous period.

The report highlights a scenario in which an organisation experienced a phishing attack and an employee’s email account was compromised. A preliminary review of the incident suggested a significant amount of personal information was at risk, but that it would take 5 months to identify and tailor notifications to everyone at risk of serious harm.

In this case, best practice was to promptly notify individuals, providing general recommendations that applied to all individuals whose personal information was contained in the email account, rather than attempting to tailor notifications and delay the process.

“This is the tenth consecutive report that health care has been deemed the most breached sector, indicating a critical need for change when it comes to healthcare organisations’ cybersecurity postures,” said John Donovan, Managing Director ANZ at Sophos.

Industry leaders must invest in the right technology to build their cybersecurity foundation, Donovan said. “The need for this is evidenced by the report, with malicious or criminal attacks accounting for 55% of all data breaches over the last six months.

“Additionally, with human error contributing to 41% of data breaches, cybersecurity education must be prioritised for healthcare workers, particularly for remote workers whose systems are less secure than onsite facilities.”

Image credit: ©stock.adobe.com/au/weerapat1003