Healthcare tops the list for notified data breaches

healthcare industry breaches

On July 31, 2018, the Office of the Australian Information Commissioner (OAIC) released its second quarterly statistics report on the Notifiable Data Breaches (NDB) scheme. The scheme, which came into effect on February 22, requires organisations to inform the government and affected individuals whenever they’ve been victim of a data breach.

The OAIC report found that there were 242 data breaches filed in the second quarter of 2018, with a steady increase in notifications — going from 65 in April to 90 in June. The top five industry sectors for notified data breaches are as follows:

1. Healthcare
According to the OAIC, health service providers suffered more data breaches than any other industry. Out of the 242 breach notifications, 49 were reported by the healthcare sector.

The report found that human error, such as sending records to the wrong recipient and disclosing information to unauthorised parties, accounted for a majority of healthcare breaches, and may have contributed to an uptick in cyberattacks like phishing scams and ransomware.

Healthcare institutions are attractive targets for cybercriminals because their network devices and staff are easy entry points. What’s more, hospitals and clinics’ databases contain massive volumes of personally identifiable information that fetch high prices on the black market. This data can be used to commit identity theft, allowing criminals to make false insurance claims and even buy and resell prescription drugs.

2. Finance
The finance sector came second to healthcare, with 36 breaches reported between April and June 2018. Half of the breaches were due to employee negligence, but highly targeted phishing scams caused the most problems.

Hackers target these firms because they control large sums of money and, much like health service providers, store troves of private information like credit card details and tax file numbers. Access to this information enables criminals to claim someone’s tax returns or steal money from their victim’s bank account.

3. Legal, accounting, and management
The 20 breaches reported by the legal, accounting, and management sector mostly involved malware, phishing, and brute-force attacks. This suggests that most companies in this industry lack robust cybersecurity measures and training, which they need since they also store important legal documents and financial data that are highly valuable to cybercriminals.

4. Education
K-12 schools and universities reported 19 data breaches resulting from unsafe IT practices and cyberattacks. One factor may have been the widespread popularity of open networks and unsecured personal devices on Australian campuses. Many students are also not aware of cybersecurity risks, which make them prime targets for phishing scams and other online threats.

5. Business and professional associations
Business and professional associations fell victim to 15 data breaches, mostly because of external factors ranging from phishing, stolen storage devices, and malware.

Companies in this sector are high-value targets for the identity information and financial details they collect from clients. Competitors that engage in corporate espionage also attack these companies in the hopes of stealing intellectual property and corporate secrets that will give them an edge.

Key takeaway

Considering that a majority of the breaches reported were linked to compromised credentials, phishing attacks, and human error, it’s clear that investing solely in cybersecurity software isn’t enough. Australian businesses must also address the human element of cybersecurity, and that means implementing comprehensive information handling policies and providing adequate cybersecurity training.

Training sessions must teach employees how to detect phishing emails and the importance of setting strong and unique passwords. Businesses must also conduct regular assessments to make sure networks are secure and employees are compliant with their organisation’s security best practices.

If you’re not confident in your company’s cybersecurity, it’s time to make it an immediate priority. Empower IT Solutions offers a wide array of security solutions, including advanced antivirus software, firewalls, and encryption, and comprehensive security training services customised for your industry. We even provide thorough security assessments to make sure your data is safe and sound. Give us a call today on 1300 797 838.

Download a free copy of: A quick guide to notifiable data breaches