Phishing for your personal information11 October 2019
Health information on the dark web (a well-known platform for criminal activity, including the purchase of illegally obtained credit card numbers, personal information, software to hack computers and illegal substances) is highly sensitive and perceived to be incredibly valuable. A cyber or privacy breach can be extremely disruptive and damaging for organisations, from a financial and a reputational perspective. As health providers hold large volumes of information, they must ensure they protect their data from loss, unauthorised access and/or unauthorised disclosure.
A breach may also result in a claim being commenced against a medical practitioner or health provider for negligence, or for breach of confidentiality. Although it is almost impossible to guard against every cyber and privacy risk, steps and precautions can and must be taken to protect personal and sensitive information.
Given the advancements in technology and the increased risks of cyber and privacy breaches faced today, health service providers ought to consider preparing an incident response plan and obtaining cyber insurance to protect them from the damage that may result from a breach.
The Notifiable Data Breaches scheme
The Notifiable Data Breaches scheme (NDB scheme) came into effect on 22 February 2018 and applies to bodies that are bound by the Privacy Act 1988 (Cth). An organisation that provides a health service and holds health information is bound by the Act even if it is a small business or if providing a health service is not the organisation’s primary activity. A health service provider will include (among other things) general practitioners, medical practitioners, blood/tissue banks, private hospitals, dentists, pharmacists and psychologists. The Office of the Australian Information Commissioner (OAIC) is responsible for enforcing the Act.
The NDB scheme requires bodies to notify the OAIC and affected individuals of an “eligible data breach”. Under the Act, an eligible data breach occurs if:
- there is unauthorised access to, unauthorised disclosure of, or loss of personal information held by an entity
- the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates, and
- the entity has been unable to prevent the likely risk of serious harm with remedial action.
The term “serious harm” is not defined in the Act. Nevertheless, s 26WG of the Act provides a non-exhaustive list of factors to consider when assessing whether serious harm is likely to result from the access, disclosure or loss. The list of factors to consider includes the kind(s) and sensitivity of information, the persons (or the kind of persons) that has or could obtain the information, and the security technology (such as an encryption key).
The statistics one year in
Between April 2018 and March 2019, the OAIC was notified of 964 eligible data breaches under the NDB scheme. Of these breaches:
- 60% were caused by malicious or criminal attacks—e.g. hacking, stolen credentials or phishing
- 35% were caused by human error— e.g. losing a USB containing personal information, and
- 5% were caused by system faults.
Of the 964 eligible data breaches reported to the OAIC under the NDB scheme, health service providers accounted for more than 200 notifications. When the statistics were broken down into sectors, the health service sector made the largest number of notifications to the OAIC, followed by the finance sector. The OAIC considers the high number of notifications it received from the health service sector is reflective of its high-volume data holdings. In the health service sector, human error was the leading cause of data breaches, accounting for 55% of the eligible data breaches. This is significant when juxtaposed with the 35% of eligible data breaches that occurred because of human error across all sectors. The value of health information on the dark web is significant when compared with other personal and sensitive information. The current “going rate” for health information is $20 to $50, whereas credit card information is $5 to $8.
Unfortunately, the Act does not allow an individual to make a claim for a privacy breach. Instead, it only allows the Commissioner to bring proceedings to enforce a determination it has made.
Tort of privacy, negligence and confidentiality
There is great uncertainty in Australia as to whether a common law tort for an invasion of privacy exists. Since the decision of Victoria Park Racing and Recreation Grounds Co Ltd v Taylor (1937) 58 CLR 479 (Victoria Park), the general consensus has been that a cause of action for a breach of privacy does not exist in the common law. The High Court of Australia, in the decision of Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd (2001) 208 CLR 199, observed that as a result of the Victoria Park decision, a general tort of privacy was unable to develop in Australia.
Despite this limitation, if a health service provider has breached an individual’s privacy, then it may be possible for that individual to bring a claim for negligence or for a breach of confidentiality.
As far as we are aware, there have been no court decisions in Australia regarding allegations that a medical practitioner was negligent and/ or in breach of doctor-patient confidentiality by reason of an authorised disclosure, access or loss of personal and/or sensitive information.
Most health service providers will owe their patients a duty of care. Therefore, a privacy breach by a health service provider may result in a breach of the duty of care it owed to the patient, which may, in turn cause damage and/or loss to the patient. In the decision of Furniss v Fitchett (1958) NZLR 396 (Furniss), the New Zealand Court confirmed that a privacy breach by a doctor can amount to negligence. We consider that there is no reason why the principles distilled in Furniss cannot be equally applied in Australia.
At common law and under the Australian Medical Association’s Code of Ethics, a medical practitioner owes a patient a duty of confidentiality in relation to information the practitioner has obtained in the course of treating the patient. This duty is far reaching and extends after the patient’s death (subject to some exceptions). It is possible for an individual to commence legal proceedings claiming damages against the relevant medical practitioner.
What does this mean for insurers and claimants?
From an insurance perspective, we have seen the number of claims made against health service providers for cyber and privacy breaches rise exponentially. With the number of claims on the rise, organisations within the health services sector need to be mindful of the information they hold and take necessary steps to protect that information. To help protect personal information, entities should (among other things) develop a data security plan and policy, ensure that staff are adequately trained on cyber risks and their privacy obligations, computers and laptops should be locked with strong passwords and should contain a privacy shield, USBs should contain encryption keys and regularly back up their data.
Even when all necessary steps are taken to protect information, cyber risks and privacy breaches will still arise, given the ever-changing online landscape. For this reason, health service providers ought to consider obtaining cyber insurance. In doing so, health service providers need to ascertain the level of cover they require, including whether the insurance policy will cover them for first party interference, third party interference and/or human error, as well as potential claims for breaches of confidentiality and negligence.
It can be difficult for the standard policy wording to keep up with the advancement of technology, so insurers need to be alert to the risks they are offering to insure. Insurers also need to ensure they are comfortable covering risks arising from mistakes (given that approximately 35% of breaches are caused by human error), or whether they are only prepared to provide cover for first party or third party interference.
Regional health care under attack
On 30 September 2019 a number of hospitals and health service providers in Gippsland and South-West Victoria were impacted by a ransomware attack, which blocked access to a number of the hospitals’ systems. The main hospitals impacted were located in Warrnambool, Colac, Geelong, Warragul, Sale and Bairnsdale. Victorian Premier Daniel Andrews said the incident was a criminal attack and noted it would take days or even weeks to re-secure the impacted network. To manage the incident, the Victorian Government is working closely with the impacted health service providers, Victoria Police and the Australian Cyber Security Centre.
At this stage, there has been no suggestion that any personal information has been accessed as a result of the incident. However, the impacted hospitals and health service providers have had to take precautionary measures, such as isolating and disconnecting a number of its systems. For example, Barwon Health Hospital suspended clinical applications and put in place manual systems to ensure that patient care could continue. The Hospital has rescheduled a number of elective surgeries and daily outpatient appointments. This again exemplifies the crippling effect of cyberattacks and the long term ramifications on both the health service providers and the public.
Assistance for health service providers to improve their privacy practice
In the last three years, “health service providers” have been identified as one of the top three sources of privacy complaints made to the OAIC. In recognition of this, the OAIC has recently released a comprehensive Guide to Health Privacy. In the Guide, the OAIC provides advice to health service providers on the Privacy Act 1988 (Cth), including in relation to the collection, use and disclosure of personal information and sensitive information. The Act requires health service providers to establish, implement and maintain coherent and robust privacy practices. In the Guide, the OAIC recommends that health service providers implement eight practical steps to assist them in complying with the Act. Further information is located here. The Guide is a positive Government initiative and can be used by health service providers to lower the risk of claims being made for a breach and/or interference with an individual’s privacy, a breach of confidentiality or an allegation of negligence.