An investigation by the ABC has revealed that the personal health information of over 300 people applying for Australian visas was accidentally emailed to an incorrect address as a result of a “typo”.
The report details that the email containing information on 317 individuals was incorrectly sent to a member of the general public in 2015.
Bupa is contracted by the Department of Home Affairs to assess the health of people applying for visas and permanent residency in Australia.
According to the ABC, immigration medical assessments, carried out by Bupa and its subcontractors, are required for certain visa applications and for people applying for permanent residency in Australia.
The breach, the report detailed, occurred as a result of Bupa’s subcontractor Sonic HealthPlus removing data from secure government systems.
See also: Bupa touts customer experience in digital transformation
In 2014, the Office of the Australian Information Commissioner (OAIC) found that Home Affairs — formerly the Department of Immigration and Border Protection (DIBP) — was in violation of the Privacy Act by unlawfully disclosing personal information when it published the details of approximately 9,250 asylum seekers.
A document containing the full names, gender, citizenship, date of birth, period of immigration detention, location, boat arrival details, and the reasons why the individual was deemed to be “unlawful” was available on the DIBP web site for around eight and a half days, as well as remaining available on Achive.org for approximately 16 days.
The source of the privacy breach was determined to be from the copying and pasting of a Microsoft Excel chart onto Microsoft Word by a DIBP staff member, resulting in the underlying data that renders the chart being embedded into the Word document.
Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in Australia
On the misuse of health data, security firm UpGuard last week detailed that a database containing information on individuals from Australia and New Zealand had exposed data connected to clinical trials.
The database belonged to Neoclinical, an Australia-based company that matches individuals with active clinical trials.
The database included collections for different entity types involved in connecting users to clinical trials, such as the accounts of organisations running the trials and information on the “users” themselves seeking entry to those trials.
On the same day, the Australian Competition and Consumer Commission commenced court proceedings at Federal Court against online health booking platform HealthEngine for sharing patient data with insurance brokers, and manipulating patient reviews and ratings.
Over 10 million people hit in single Australian data breach: OAIC
The Office of the Australian Information Commissioner’s quarterly data breach report also revealed private health was again the country’s most affected sector.
This is how hackers make money from your stolen medical data
Stolen medical information can sell for up to six times as much as PII, and there are reasons for that.
My Health Record had 42 data breaches in 2017-18 but no ‘malicious’ attacks: ADHA
Highest category of breaches was due to attempted Medicare fraud, the Australian Digital Health Agency has said in its 2017-18 annual report.
Data breach exposes diagnosis data of 34,000 medical marijuana patients
An electronic system used by a Canadian service and its parent company was compromised.
Why 70% of healthcare orgs have suffered data breaches (TechRepublic)
Digital transformation initiatives bring a slew of data privacy concerns to US health organizations, according to a Thales report.