e-Health Ready

OAIC Data breach report: insights and tips

By Yianni Serpanos | Aug 04, 2018

In my recent OAIC Notifiable Data Breach (NDB) summary, I pointed out that Health service providers represented the top industry sector by notifications reported.

This was the case in both human errors and cyber security issues.

Given the specific references in our Privacy Act 1988 (Privacy Act) relating to Health service providers I wanted to understand the insights.

In the following chart, we can see that human error and malicious or criminal attack are the main issues.

OAIC Top 5 Industries by Source of Breach
Chart 2.1: Sources of Data Breaches – Top 5 industry sectors


What exactly is human error?

Human error is defined by the OAIC as set out by the following glossary table:

Human error data breach categories, OAIC
OAIC Glossary Human Error Data breach categories


I found this glossary useful to get a sense of what can be done at a cultural level to protect against pure human error.  And the rest seem to be contributed to by system choices.

Most are preventable by working with systems designed with healthcare information privacy in mind.  For example all the issues around email and fax can be absolutely minimized by working with secure messaging products when you’re sending or receiving client information between providers.

TIP: If you haven’t known or done so already, register for coreplus’s Secure Message Delivery service from within your dashboard and settings and don’t use email or fax for this type of communication.


What exactly is malicious or criminal attack?

Here is OAIC’s glossary for cyber attack issues:

Cyber security glossary OAIC
OAIC Glossary Malicious or criminal attack


Understanding these terms will help you review IT systems & security policies.

Generally the level of security in small business IT systems (servers, pc’s, firewalls etc…) is pretty average.  And password management is not top of mind for a lot of people.

TIP: If you’re not using two factor authentication, I strongly encourage you to activate this and if you need any assistance contact our customer service team via your in product direct messaging.


What information was breached?

Here is the OAIC’s glossary of “information” breached:

Other information reported
OAIC Glossary of information terminology


Health information is not the only thing you need to be concerned about.

Having client information stored securely, safely and limited in terms of who/ what and how it can be accessed is key.

TIP: Using fit for purpose systems designed for Australia healthcare regulations along with segmented privileges and high end security will go a long way to minimizing your risk of a breach.


Overall, the types of issues reported are not surprising.  I see a lot of it when meeting and working with small practices.  The good news is that it’s relatively easy and cost effect to do something about minimizing the risk of a breach.


Tips on minimizing risk

Here’s some things to think about that can really lower your risk of data breaches by human error or cyber security:

  • Work with practice management products/ software that allow you control where your client data is stored so that you can control who has what type of access and under what conditions NB: Having your practice data in Australia is preferable;
  • Use secure messaging systems for practice to practice communications relating to client information;
  • Focus on products that have been built for Australian health providers and are Australian Privacy Act focused, NOT GDPR as EU Law compliance won’t relieve you of your legal responsibility here in Australia.
  • Use a password manager built for creating and storing complex passwords and changing them regularly in line with a stated password policy in your practice.
  • Choose products that offer you two factor authentication as then a hacker would have to steal your password and your phone to gain access to your systems.
  • Be careful using products designed for overseas markets that are integrate-able with your core practice management systems as they often share data between systems without privacy in mind, or, without you realizing that it’s being done and generally send your client data overseas.
  • Review APP Guidelines and update your practice policies accordingly.  If you’re using a lot of cloud products, focus on Cross border disclosure of personal information


Hopefully there’s value for you in this breakdown and understanding of what could cause a data breach in your health practice.  Also, I hope you’ll lower risk by using a specifically designed for Australian health service provider product like coreplus with two factor authentication turned on.

Overall, think of privacy as a cultural and have well advised policies & procedures, appropriate systems that ensure your Australian privacy obligations are met.


Thanks for taking the time to read this.  Feel free to message me via LinkedIn if you want to talk health-tech or contact our awesome customer service team with any questions on how coreplus works to help with the above.


Recent Stories


Transform your audiology practice with coreplus’ NEW Hearing Services Program integration

Welcome to the future of audiology practice management! coreplus is excited to introduce our latest… Read More

By Diana Younan | Dec 05, 2023


Extend the impact of your therapy sessions with the help of Theratrak, our newest Add On partner

Did you know that research suggests that the minute a patient walks out the door,… Read More

By Enzemam Moeen | Aug 17, 2022


How to Improve Success of Telehealth for Clients and Clinics

Clinics and clients both stand to benefit from telehealth services, but only when done correctly…. Read More

By Diana Younan | May 30, 2022

Subscribe to a weekly dose of coreplus news