Introduction by Croakey: A delay by Optus in informing the Federal Government that people’s Medicare details are part of a massive data breach has been described by Federal Health and Aged Care Minister Mark Butler as “deeply unfortunate”.
He told ABC radio this morning that the Government was “particularly concerned that we were not notified earlier and consumers were not notified earlier about the breach of Medicare data as well”.
“All the resources of government are going into protecting consumers in the face of this extraordinary breach of their personal data,” he said.
Meanwhile, Adjunct Professor George Newhouse and Duncan Fine, two of the founders and directors of the National Justice Project, are concerned that far less attention has been paid to a data breach earlier this year affecting NDIS participants – many of whom still have not been notified.
Now is the time, they say, for the Albanese Government to address our “weak and hopelessly out-of-date” privacy laws.
George Newhouse and Duncan Fine write:
As many Optus customers are finding out to their horror this week, we are coming to grips with our modern globally connected world where personal information can be stolen and fall into the wrong hands.
While the Optus case deserves blanket media coverage, spare a thought for the victims of a more serious but less reported data hack.
Recently, thousands of Australians living with a disability had their extremely sensitive and personal information (including health details) accessed and stolen after a cloud-based server of a private company was hacked.
The company, known as CTARS, is a cloud-based client management system for the NDIS which is used by out of home care services. In May 2022, CTARS became aware of the data breach. An unauthorised third party had gained access to their systems and claimed to have taken a significant volume of data.
A sample of this data, which includes personal information about customers, their clients and carers, was posted on a deep web forum.
CTARS reported the incident to the Office of the Australian Information Commissioner (OAIC) and the Australia Cyber Security Centre (ACSC).
But what does this mean for the people (many of whom are among the most vulnerable in society) who now, quite rightly, feel violated, knowing extremely personal details are potentially in the hands of criminals?
The trouble for them (and for all victims of data breaches) is that Australia’s weak privacy laws mean that four months later, unlike Optus customers, most of the individual NDIS participants whose data has been breached and accessed have not even been notified of the breach.
The Privacy Act does require that CTARS and the NDIS Disability Service Providers notify individuals where serious harm is likely to occur as a result of a data breach. Indeed, under the Act, companies like CTARS must prepare a statement including a description of the breach, the kind of information concerned, and recommendations about the steps that individuals should take in response to the breach.
But, and it’s a big “but”, there is uncertainty around the obligations of subordinate users such as the Disability Service Providers who utilise the CTARS platform and what information they have about the breach and the steps they must take.
In response to the data hacks, CTARS, notified the Privacy Commissioner, released a statement, posted it on their website and notified Disability service providers. Some Disability Service Providers have published their own statements on their websites – but not all of them. Few have directly notified NDIS participants.
CTARS is a cloud-based platform and only its clients – the NDIS Disability service providers – are aware of the identity of the individual NDIS Participants whose data (including confidential medical records) has been accessed and taken in the data hack.
Since then there has been quite a bit of buck passing. The Privacy Commissioner refuses to divulge information. CTARS says they have notified the Disability service providers and the providers don’t know whose private information was accessed.
A defining moment
The bottom line is that our privacy laws are weak and hopelessly out-of-date.
It’s data hacks like this (and yes, like the Optus breach) that now present the Albanese Government with a defining moment to fix a broken system.
The government needs to legislate to strengthen the law to (at the very least) ensure that the impacts of serious data breaches are communicated to subordinate, even unknowing users, of cloud-based platforms.
In this CTARS case, tens of thousands of NIDS participants appear to have had their personal medical records accessed. Today the Health Minister was horrified to hear that the Optus breach had disclosed Medical numbers but he has been silent on the CTARS breach which disclosed much more significant and personal health information.
The Optus breach may impact more people, but the CTARS breach will have a much greater effect on the people involved because of the highly intimate nature of the material involved.
Our globally connected world means sensitive information can be exposed to the world at the touch of a keyboard.
But that also means deeply personal material can, in an instant, fall into the wrong hands. This is especially so when corporations and government agencies that store such information are lax in securing it.
Now is the time for government action.
Directors need to be personally responsible for overseeing a corporation’s data security policies and for ensuring that they are implemented, data breach disclosure notification rules must be extended to ensure that all individuals who are affected or potentially affected (even through subordinate users of cloud software) are notified and a new tort of breach of privacy needs to be legislated to ensure that affected individuals have a remedy. We need them to act now!
More details on the Optus breach
- Optus statement
- Statement by Australian Government Office of the Information Commissioner
- Services Australia statement
- Australian Cyber Security Centre statement.
See Croakey’s archive of articles on the commercial determinants of health