Wednesday, October 26, 2022

Privacy fallout from Medibank hack ‘will be widespread’

 

Privacy fallout from Medibank hack ‘will be widespread’


John DavidsonColumnist

Leaks of sensitive healthcare information such as Medibank’s data breach can have far-reaching consequences, not just for the direct victims of the leaks but for all users of Australia’s health system, privacy experts warn.



Last week, Australia’s largest private health insurance company admitted it had as much as 200 gigabytes of data stolen from its servers, including “the location of where a customer received medical services, and codes relating to their diagnosis and procedures”.

Australians trust insurance providers far less than they trust healthcare providers such as Medibank. Louise Kennerley

Melanie Marks, a principal at the cybersecurity and data privacy consultancy elevenM, said the leak would harm far more than Medibank and its customers.

“When we have a large data leak like that, it has a ripple effect that undermines trust in the whole health system,” she told The Australian Financial Review.

Trust that healthcare data would be protected was crucial to the proper functioning of the healthcare system, which was why healthcare providers such as doctors, nurses and hospitals took great care with patient data, she said.

In its 2020 survey Australian Community Attitudes to Privacythe Office of the Australian Information Commissioner found that Australians trust their healthcare providers to keep their information secure more than they trust any other sector. Seventy 70 per cent of those surveyed said they found health service providers either very trustworthy, or somewhat trustworthy.

That was double the level of trust in insurance companies, which only 35 per cent of Australians said they found trustworthy, according to the OAIC survey.

“If you feel that when you go to see your psychologist and talk about some very personal issues that you might have, and if you fear that your information may not be secure, you may not go back to that provider or to any other provider,” Ms Marks said.

More reform needed

On Friday, the government moved to restore trust in corporate Australia’s ability to keep personal data secure, by vastly increasing the fines that companies will incur when they have failed to take reasonable steps to protect personal data.

While that move was welcome, it was “just one of the dials we need to be turning” to improve corporate attitudes to data security and privacy, Ms Marks said.

“There needs to be a continued push to address other areas of privacy reform, including modernising the definition of personal information, reviewing existing exemptions to the current Privacy Act, and increasing accountability of organisations for preventing privacy harms,” she said.

The government also needed to better fund the OAIC because “increased fines are effectively meaningless unless they can be enforced”, Ms Marks said.

Former NSW deputy privacy commissioner Anna Johnston, who runs her own data privacy consultancy, Salinger Privacy, said many details of the Privacy Act needed to be addressed, not just the size of fines.

“Will the OAIC be able to levy fines directly, or will they still have to apply to the Federal Court?” Ms Johnston asked.

Having to go through the Federal Court was one of the reasons OAIC had never imposed the modest $2.2 million fine under the current Privacy Act, she said.

Additionally, companies could be punished only if they were guilty of “serious” privacy breaches, which was not defined in the Privacy Act, or if they were repeat offenders.

This too was a “weakness” in Australia’s privacy law that needed to be fixed, she said.

John Davidson is an award-winning columnist, reviewer, and senior writer based in Sydney and in the Digital Life Laboratories, from where he writes about personal technology. Connect with John on Twitter.Email John at jdavidson@afr.com