There were 900 data breach notifications made to the OAIC last year, which although has totalled a nice even number, is pretty bad. The majority of these breaches involved the personal information of individuals, such as name and address. And the majority of the breach notifications affected the healthcare sector.
Of these 900 breach notifications, 464 of them were reported in the second half of 2021.
Does this mean 464 breaches? Basically, but because this is government, it’s obviously not as easy as that.
Data breach notification to the Office of the Australian Information Commissioner (OAIC) became mandatory under the Notifiable Data Breaches (NDB) scheme in February 2018.
Under the scheme, all agencies and organisations in Australia that are covered by the Privacy Act are required to notify individuals whose personal information is involved in a data breach that is likely to result in “serious harm”, as soon as practicable after becoming aware of a breach.
The Privacy Act covers most Australian government agencies; it does not cover a number of intelligence and national security agencies, nor does it cover state and local government agencies, public hospitals, and public schools.
The OAIC provides a report every six months.
So with that aside, here are some stats from the period spanning July 1, 2021, through December 31, 2021.
Health holds crown as most breached
As is the trend, the healthcare sector was the most breached in Australia, accounting for 83 of the 464 notifications – this is 18 per cent. Next in line was finance, with 56 breaches, followed by legal/accounting with 51 and personal services with 36.
Since the OAIC mandate, health has been the most affected sector. It’s on the radar of the Australian Cyber Security Centre (ACSC), too, which previously issued an alert to aged care and healthcare providers, notifying them of ransomware campaigns targeting the sector.
This number would likely be higher if we took into consideration the entire healthcare sector in Australia. But, data breaches that are notified under s75 of the My Health Records Act 2012 do not need to be notified under the NDB scheme as they have their own binding process to follow (which also lies under the umbrella of the OAIC).
47 per cent of the health sector breaches were traced back to malicious or criminal attack and another 47 per cent were the result of human error.
The broader picture
Overall, contact information was the most breached info – such as an individual’s name, home address, phone number or email address. It was the case in 396 of the 464 breaches. Identity information was breached in 185 occasions, followed closely by financial details – 183 of them.
71 per cent of these breaches affected less than 100 people, but in 20 instances, over 5,000 people were affected. In fact, one breach affected over 1 million people (not just Aussies, though). Yikes. The plus side is, 75 per cent of entities involved in these notifications reported the incident within 30 days of it occurring.
Malicious or criminal attacks remain the leading source of breaches, accounting for 256 notifications (which is 55 per cent of the total). ‘Cyber incident’ was the most common reason provided under the ‘malicious or criminal attack’ banner.
Data breaches resulting from human error, meanwhile, accounted for 190 notifications. Common examples of human error breaches include emailing personal information to the wrong recipient (this happened in 43 per cent of the reported human error breaches), unintended release or publication of personal information and loss of paperwork or data storage device was also to blame.
Australian Information Commissioner and Privacy Commissioner Angelene Falk wasn’t overly impressed with the stats.
“Australians expect that their personal information will be handled with care when they choose to engage with a product or service and are more likely to entrust their data to organisations that have demonstrated effective privacy management,” Commissioner Falk said.