Recent US data suggests that in the next 5 years cyberattacks will cost the US hospital system $305 billion, with as many as 1 in 13 patients having personal information stolen from healthcare records during that time. Why such an interest in health records? Cyber criminals are fast realising that data stolen from a bank becomes useless once the problem is detected and passcodes are changed. But health care data, which includes personal identities and medical histories, can be useful for, literally, a lifetime.

While Australia is a few steps behind the US in the occurrence of major incidents, the debate regarding mandatory data breach notification laws has been happening for some time and it looks like a new regime is not far away.

Proposed mandatory data breach notification laws – what are they?

In 2015, the Australian government proposed the implementation of a mandatory data breach notification scheme in an exposure draft of the Privacy Amendment (Notification of Serious Breaches) Bill 2015. The current draft was prompted by the 2015 recommendation of the Joint Committee on Intelligence and Security for the introduction of a mandatory data breach notification scheme. Previous incarnations of the Bill proposed in 2013 and 2014 were supported by both the Greens and the Labor Party. Given this, it seems likely that the Bill will be passed during the Spring 2016 parliamentary sittings which run until 1 December 2016.

At present, data breach notification is voluntary in Australia, which means that there is minimal data as to the frequency of the occurrence of data breaches. Under the proposed bill, agencies and organisations that collect and maintain personal information will be required to report to an affected individual and to the Office of the Australian Information Commissioner (OAIC) where there are reasonable grounds to believe that a “serious data breach” has occurred.

The mandatory notification scheme is primarily a response to the increased risks associated with Australia’s growing digital economy, the mandatory data retention regime and the growing prevalence of cyber attacks.

Mandatory reporting is designed to restore control to individuals whose personal information has been compromised by allowing them to take remedial steps to avoid any adverse consequences.

Australia’s “MyHealth Record” system and growing privacy concerns

Also contributing to growing privacy concerns is the increased implementation of the e-Health or digital healthcare system and My Health Record system (formerly known as PCEHR System) which commenced in 2012.

Recent amendments to the My Health Record system are designed to increase participation by moving from an “opt in” system towards an “opt-out” system in 2016 and 2017. So far, the results of “opt-out” trials that commenced in parts of Australia in June 2016 indicate that the opt-out rate is likely to be very low.

Will Healthcare providers be bound by the mandatory notification scheme?

Organisations that collect and maintain personal information are bound by the Australian Privacy Principles (APPs) under the Privacy Act 1988. The Privacy Act applies to all private sector healthcare providers irrespective of annual turnover. Healthcare provider is broadly defined to include an individual or organisation that “assesses, maintains or improves an individual’s health” and/or “diagnoses and/or treats an individual’s illness, disability or injury”, even if healthcare is not their primary activity.

The mandatory data breach notification laws will require healthcare providers to report any “serious data breach” to the OAIC and to the individual concerned where there is a “real risk of serious harm”.

Previously, only healthcare entities that participated in the My Health Record System were subject to mandatory data breach notification requirements (contained in the My Health Records Act 2012 (Cth)). However, if the proposed Bill is introduced, the mandatory reporting scheme will extend to all healthcare providers. The proposed Bill ensures that healthcare providers are not subject to double reporting requirements.

What will the proposed scheme mean for healthcare providers?

The proposed mandatory reporting requirements will add to existing obligations placed on healthcare providers regarding the use, management and protection of personal information that are contained in the APPs and the Privacy Act 1998 (Cth).

A healthcare provider will be required to report to all affected individuals and to the OAIC where there are reasonable grounds to believe that a “serious data breach” has occurred. When the potential scale of cyber attacks is considered – the 2015 data breach of US health insurer Anthem involved almost 80 million personal records – this notification requirement alone is a significant exercise.

Data breaches can occur by way of hacking or by accidental disclosure or loss. Under the exposure draft, a “serious data breach” occurs where there is:

  • unauthorised access or disclosure or loss of certain information (including personal information) about a person or persons; and
  • that access or disclosure or loss will result in a real risk of serious harm to any of the individuals to whom the information relates.

Importantly, a serious data breach will also occur where there is access or disclosure or loss of information prescribed under regulation. Health information is treated as “sensitive information” under the Privacy Act and APPs and therefore, likely to be the type of information that is specified under regulation.

Reporting of data breaches is already mandatory in the United States, resulting in a great deal of litigation. For example, in 2011, a class action in negligence and for breach of Californian notification laws was filed against the Sutter Medical Foundation (“Sutter”) in Sacramento, California after a password-protected, unencrypted computer was stolen from its administrative office. The computer contained health care records of more than 4 million individuals, including dates of birth, medical record numbers, medical diagnoses and/or procedures dating back to 1995.

Failure to report a serious data breach could result in civil penalties of up to AU$1.8 million under the proposed scheme.

Under the My Health Records Act there are already civil (and criminal) penalties that may be imposed for the unauthorised disclosure, use or collection of information contained in the My Health Record system of up to $108,000 for individuals and $540,000 for corporations. The proposed Bill looks to raise the stakes.

What can healthcare providers do?

Healthcare providers will be faced with complex challenges as Australian healthcare makes the transition to a digital health care system.

Severe financial and reputational consequences can flow from cyber attacks and accidental disclosure of data and managing those risks presents a real problem for healthcare providers.

Healthcare providers should ensure that they take measures to:

  • Understand the legislative and regulatory obligations under the Privacy Act and My Health Records Act and ensure that systems are designed in compliance with those Acts;
  • Review existing systems for collecting, maintaining and protecting personal information to ensure that they are secure and comply with the legislation and regulations;
  • Review or develop policies and procedures for staff to ensure that they:
    • Are cyber security aware and trained to use appropriate passwords and take other precautions both to protect information; and
    • Know how to respond in the event of a data breach;
  • Ensure that technical systems are:
    • up-to-date and highly secure;
    • maintained and reviewed on an ongoing basis;
    • protected by ensuring that appropriate technology is in place to prevent malicious data breaches;
  • Develop and implement an emergency response plan to deal with a data breach.
  • Obtain or consider obtaining cyber insurance to provide cover in the event of a data breach or a failure to comply with mandatory data breach notification obligations.