Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)

Data Leak Exposes Psychologists' Home Addresses

Leak Has Been Reported to Australia's Data Regulator
Data Leak Exposes Psychologists' Home Addresses
A HBF branch in Joondalup, Western Australia (Photo: HBF)

A large health insurer in Western Australia inadvertently shared the home addresses of some psychologists to a web-based appointment booking service, the West Australian reported Wednesday.

See Also: Webinar | 2023 OT Cybersecurity Year in Review: Lessons Learned from the Frontlines

The health insurer, HBF, passed names and addresses for psychologists to Whitecoat, a company that develops an online booking and patient review mobile application and website. The details have since been removed. The same details for dentists, dieticians and remedial massage therapists were also passed onto Whitecoat.

"We should have scrubbed the data or sent it in a different manner to avoid this, and while we think it might have only affected a small number of psychologists for a short period of time, we have to be squeaky clean."
—John Van Der Wielen, CEO, HBF

The West Australian writes that HBF has notified 7,000 psychologists. Some of the psychologists work from home and did not have a separate location for their practice. The breach came to light after a psychologist saw their personal address on Whitecoat.

Efforts to reach HBF on Wednesday were not immediately successful.

Exec: Data Should Have Been Scrubbed

HBF CEO John Van Der Wielen tells the Western Australian: "We should have scrubbed the data or sent it in a different manner to avoid this, and while we think it might have only affected a small number of psychologists for a short period of time, we have to be squeaky clean. I'm treating it with the utmost severity but in reality we haven't published bank account details or family details."

Voter registration rolls in Australia contain names and addresses. But medical professionals are among those who can be granted silent elector status - in which only their name appears on the roll. That status is granted on a case-by-case basis and approved by a divisional returning officer, according to the Australian Electoral Commission.

Another One For The Tally

The incident has been reported to the Office of the Australian Information Commissioner, which oversees the country's data protection regulations.

In February, an amendment to Australia's Privacy Act went into effect that for the first time put in place a mandatory notification requirement for certain types of organizations for certain classes of data breaches. The law applies to companies and governmental organizations that are covered by the Privacy Act 1988 (see: Australia Enacts Mandatory Breach Notification Law).

Businesses that have less than 3 million Australian dollars ($2.2 million) in annual revenue are excluded from the reporting requirement. The fines for violations range from AU$360,000 for individuals to AU$1.8 million for organizations.

Before the law, many organizations had followed the best practice advice from the OAIC, which recommended that breaches be voluntarily reported. The threshold for reporting was a leak or theft of information that's likely to result in "serious harm."

The OAIC offered guidance to organizations on how that determination is to be made: "Whether a data breach is likely to result in serious harm requires an objective assessment, determined from the viewpoint of a reasonable person in the entity's position."

A factor that can contribute to whether a breach could cause serious harm is whether several piece of information have been leaked at the same time. Another consideration is whether the leak involves data often used for identity fraud, such as a driver's license number, passport details, Medicare card or financial details, the OAIC says.

The OAIC has received a steady drip of reports, which it summarizes in quarterly updates. While some breaches prior to the law taking effect did become public, the OAIC's reports have shed a light on frequency of data mishaps and malicious incidents.

The third quarterly report for the year, released on Oct. 30, showed the OAIC received 245 notifications between July and September. A little over a third of those incidents resulted from human error, with more than half the result of malicious or criminal activity.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.