The debate about disclosure requirements under Australia’s existing data privacy law has been stirred up again thanks to another data breach. After losing some 223,000 records containing patient data, Australian Clinical Labs (ACL) took months to report the incident and notify impacted parties despite warning from the government that the files had been spotted on the dark web.
Most of the records contain Medicare numbers, and about 10% contained detailed medical records or payment information. The full set of 223,000 was not put up for sale, but customers of the company are still waiting for clarity and transparency about what was lost and what level of risk they are personally at.
Lab delayed reporting incident to authorities until stolen data was discovered on dark web
Australia’s current primary legal document governing data breaches and data privacy issues is the Privacy Act 1988, which (as the name indicates) was not written with the modern internet landscape in mind. One of the issues with it is a lack of specificity regarding at what point a loss of sensitive personal data must be reported to the government and disclosed to the data subjects.
ACL appears to have taken advantage of this ambiguity to delay reporting of a fairly serious breach and loss of patient data. The attack happened in February, and ACL was contacted by the government in March about it, but did not formally report the incident until it was contacted again in June regarding the appearance of some of the stolen records on the dark web.
The Privacy Act 1988 is currently under review, and major changes are expected sometime in 2023, but that is not likely to impact this present case. ACL is required to report a data breach if the loss of patient data is reasonably expected to cause “serious harm.” But ACL claims that its own internal investigation of the data breach, completed in March, turned up no evidence of “misuse” of the stolen data. Going forward, it is very likely that there will be much stricter reporting terms (along with vastly increased penalties).
Patient data exposed for months, prompting questions from victims and security experts
ACL subsidiary Medlab, a pathology service and one of Australia’s largest providers of Covid-19 testing, was the portion of the company that was breached. At least 17,500 of the leaked records contained some sort of pathology patient data. And about 28,000 of the records went to the dark web accompanied by a credit card number, though security analysts have found that about half of these numbers are expired and only about a tenth had a CVV code attached. In addition to losing patient data, Medlab reportedly lost an assortment of internal business documents.
Medlab has said that it has been conducting a “lengthy analysis” of the stolen data, and did not want to prematurely notify customers so as not to cause panic. It remains to be seen if Australian authorities will accept that story, but under the present Privacy Act rules the company would have to be brought to federal court for an enforcement action to be brought against it.