Health service providers accounted for almost a quarter of the breaches reported in the first six weeks of operation of the government’s Notifiable Data Breach (NDB) scheme.
The scheme came into force on 22 February.
The rules require organisations to report data breaches to the Office of the Australian Information Commissioner (OAIC) and notify affected individuals when there is a risk of “serious harm”.
Businesses with annual turnover greater than $3 million are covered by the scheme, as are organisations that handle certain sensitive categories of data, such as health-care providers, and Commonwealth entities.
The OAIC today issued its first quarterly report on the scheme (the report covers the period since the scheme’s start in February), revealing that it received 63 reports of data breaches during its first six weeks of operation.
By way of comparison, in the 2016-17 financial year the OAIC received 114 voluntary notifications of data breaches.
Health service providers accounted for 24 per cent of the notifications received by the OAIC under the scheme, followed by legal, accounting and management services organisations (16 per cent), finance (13 per cent), private education (10 per cent) and charities (6 per cent).
The OAIC said that 78 per cent of the breaches involved contact information for individuals, while a third involved health information and 30 per cent financial details, including tax file numbers and bank account or credit card details.
The report states that 32 per cent of breaches related to human error, such as emailing a document to the wrong individual, while 28 per cent were a product of malicious or criminal attacks (other reasons for breaches included system error).
Although 29 breaches involved only one person, three involved more than 10,000 individuals.
Acting Australian Information Commissioner and acting Privacy Commissioner Angelene Falk said that notifying affected individuals of a data breach gives them “the chance to take steps that reduce their risk of experiencing harm, such as changing relevant passwords for online accounts.”
“This can reduce the overall impact of a breach,” Falk said.
“More broadly, the transparency provided by the NDB scheme reinforces Australian government agencies’ and businesses’ accountability for personal information protection and encourages a higher standard of security.
‘Over time, the quarterly reports of the eligible data breach notifications received by the OAIC will support improved understanding of the trends in eligible data breaches and promote a proactive approach to addressing security risks.”