Last week, the Senate passed the Privacy Amendment (Notifiable Data Breaches) Bill 2016 which means organisations that determine they have been breached or have lost data may need to notify affected patients as soon as they become aware of a breach and report the incident to the Privacy Commissioner.
Eligible breaches that will need to be reported include unauthorised access, disclosure or loss of personal information that is likely to result in “serious harm” to any of the individuals to whom the information relates.
The legislation stipulates that each notification must include a description of the breach, the type of information involved, and how patients should respond to the data breach. Failing to notify may result in penalties including fines of $360,000 for individuals and $1.8 million for organisations.
The Office of the Australian Information Commissioner is also empowered to require the entity to make a public apology or pay compensation to affected individuals.
It is important to highlight that a “data breach” is not limited to hacking or theft of data but covers accidental loss or disclosure of data.
There is some truth behind the coined phrase that there are only two types of organisations: those that have been hacked, and those that don’t know they have been hacked.
In a recent Ponemon study nearly 90% of all surveyed healthcare organisations had a data breach in the past two years, with the average cost of data breaches found to exceed $2.2 million.
More than 50% of these breaches were as a result of criminal attacks from the outside. The value in the patient record lies in the unique identifiers such as names, birth dates, Medicare/private health numbers and billing information.
For cyber criminals this provides a rich source of data that are being sold on the black market for up to $13 per record.
But it’s not just the cyber criminals. internal mistakes including accidental employee actions, third-party errors, and stolen computing devices account for the other half of data breaches as reported by this survey.
The mandatory notification laws may have an impact on a doctor’s medical indemnity insurance as result of increased litigation and complaints.
This could include:
- Privacy notification costs incurred by doctors in notifying patients and regulators of a breach;
- Privacy defence costs to defend legal action which may be brought against a doctor by the Privacy Commissioner;
- Fines and penalties against an individual doctor for breaches of the Privacy Act;
- Claims from patients who suffer loss as a result of their patient records being made public;
- Increased complaints to the medical board.
As seen in recent healthcare privacy breaches, cyber-attacks are increasing in both frequency and severity.
To combat such attacks, GPs should be paying more attention to security measures and their response plans if a breach does occur. The healthcare industry are facing risks due to more sophisticated attacks targeting the healthcare industry, targeted malware attacks, the move to more cloud-based infrastructure and a complex network of third party vendors sharing information.
Here are five steps to mitigating risk based on building awareness and resilience:
- Understand your obligations under the Privacy Act and My Health Records Act.
- Review your existing systems and procedures for collecting, maintaining, storing, backing-up and protecting personal information and ensure your systems and procedures comply with the regulatory requirements. Map out how your patients records are kept, where they are located and who has access to them.
- Raise awareness by educating staff and developing appropriate policies and procedures for identifying and responding to a breach. This should include an emergency response plan to deal with data breaches and a plan around who should, and how to, communicate a data breach. Don’t let the documentation gather dust, make sure you are regularly testing the plan and exploring different breach scenarios.
- Make sure your IT systems and software are being continually monitored, are up to date and protected.
- Check with your insurance broker to determine if you have appropriate insurance to cover you in the event of a data breach.
This publication is general in nature and is not comprehensive or constitute legal or medical advice. You should seek legal, medical or other professional advice before relying on any content, and practice proper clinical decision making with regard to individual circumstances. Persons implementing any recommendations contained in this publication must exercise their own independent skill or judgment or seek appropriate professional advice relevant to their own particular practice. Compliance with any recommendations will not in any way guarantee discharge of the duty of care owed to patients and others coming into contact with the health professional or practice. Tego Insurance Pty Ltd is not responsible to you or anyone else for any loss suffered in connection with the use of this information.