Health sector reports highest number of privacy breaches

NEWS - eHealthNews.nz editor Rebecca McBeth

Health care and social assistance is the industry reporting the highest number of serious privacy breaches since the new Privacy Act came into force.

The Office of the Privacy Commissioner (OPC) received a 97 percent increase in privacy breach notifications in the first four months of the new Act, compared to the previous six months.

OPC is marking Privacy Week (10-14 May 2021), by publishing its first stocktake of privacy breach reporting after the Privacy Act changed on 1 December 2020.

Under the new Act, organisations or businesses which experience a privacy breach that has caused, or has the potential to cause serious harm, must now report it to the Privacy Commissioner. They can do this by using OPC’s online NotifyUs reporting tool.

Breaches related to health care and social assistance make up more than 20 percent of those notified. The report notes that a high number of reports from one sector does not necessarily mean poor privacy practice, but may mean they are more aware of their obligation to report.

Medical IT Advisors chief executive Faustin Roman says around 90 percent of organisations operating in the healthcare space are small or medium-sized businesses that lack basic security controls and 90 percent of breaches are due to human error. 

“Healthcare environments use a lot of digital technology and are exposed to cyber risks as they inherently need to trust and collaborate with each other,” he says.

“The Covid-19 pandemic has created the perfect situation for the malicious actors to exploit organisations as there is a lot of fear and misinformation and opportunities for any staff member to fall for a scam.”

The most common category of privacy breaches were email errors (25 percent), with emails containing sensitive information going to the wrong person. Other common types of breaches were the unauthorised sharing of personal information (21 percent) and unauthorised access to information (17 percent).

Over half of the privacy breaches reported to OPC involved emotional harm, and about one third resulted in a risk of identity theft or financial harm.