The private health sector has come out on top for reporting data breaches under the Australian Notifiable Data Breach (NDB) scheme with 49 notifications in the quarter (April to June).
This is according to the Office of the Australian Information Commissioner (OAIC), which particularly noted that these notifications did not relate to the My Health Records system.
This was followed by the finance sector with 36 notifications. All up the OAIC received 242 data breach notifications in the reported quarter. This is the first full quarter of the NDB scheme’s operation, since it came into effect in February.
Since then, the OAIC has received 305 data breach notifications all up.
“Notifications this quarter show that one of the key aims of the scheme – ensuring individuals are made aware when the security of their personal data is compromised – is being met. Data breach notification to individuals by the entities experiencing the data breach can equip individuals with the information they need to take steps to reduce their risk of experiencing harm, which can reduce the overall impact of a breach,” OAIC acting Australian Information Commissioner and acting Privacy Commissioner, Angelene Falk, said.
‘‘Notification to the OAIC also increases transparency and accountability. The report provides important information on the causes of data breaches so all entities can learn lessons and put in place prevention strategies.”
The report indicated malicious or criminal attacks, were the main causes of data breaches - representing 142 notifications or 59 per cent; followed by human error - 88 notifications or 36 per cent, and system faults making up 12 notifications - five per cent.
The majority of malicious or criminal breaches reported were the result of compromised credentials, and the most common human error was sending emails containing personal information to the wrong recipient (22 notifications), the OAIC report said. This was followed by the unintended release or publication of personal information (12 notifications).
Specifically, most data breaches involved the personal information of 100 or fewer individuals (148 notifications or 61 per cent of breaches). Whereas 93 reported breaches (38 per cent) impacted ten or fewer people.
The OAIC advised that the risks of these types of ‘human error’ data breaches can be greatly reduced by ensuring that staff handling personal information, receive regular training. Companies should also implement strong password protection strategies, including raising staff awareness about the importance of protecting their credentials.
In April, the OAIC released the first quarterly report revealing 63 notifications were received during the first six weeks of the scheme.
Out of the 63 notifications received, 51 per cent "indicated" that the cause was human error, 44 per cent were the result of malicious or criminal attack and three were the result of system faults.
Five sectors were at the top of the data breaches notifications with health service providers at the top with 24 per cent of all reported notifications followed by legal, accounting and management services with 16 per cent.