A cyber attack on a doctor resulted in a privacy breach by
the practice where thousands of patients’ private details were able to be
accessed. This case provides a reminder to remain proactive about cyber
security, at a time where attacks are becoming more sophisticated and difficult
The breach happened when a physician member became aware
that his personal email account and mobile phone account was compromised in a
SIM swap attack.
Innovative SIM cyber hack
A SIM swap attack is an increasingly common way to hack into
someone’s account, in an age where a phone number is linked to their online
The attack happens when someone convinces your mobile carrier
to switch your phone number over to a SIM card they own. By diverting your
incoming messages, scammers can easily complete the text-based two-factor
authentication checks that protect your most sensitive accounts.
As the cyber attacker had access to the email account and
mobile number, they were able to reset the member’s passwords for some of his
other online accounts, including his DropBox cloud storage account. As a
result, they were able to access personal information of more than 2,000 patients.
The next day, the member took the following steps to
remediate the situation:
- Added a PIN to his account to prevent the
attacker from attempting another SIM swapping attack
- Reported the incident to the Australian Cyber
- Moved his email hosting to a new domain name
- Enabled VIP authenticator for email access
- Enabled DUO authenticator for remote desktop
- Notified Avant of the incident under his
practitioner indemnity policy
Taking the correct steps
With the help of Avant, the following steps were taken immediately
after the breach:
- We provided the member with advice about his
obligations pursuant to the Notifiable Data Breaches Scheme, provided a draft Notifiable
Data Breach (NDB) form and drafted a notification for the member to send to
patients informing them of the breach. This could be sent by post, SMS, or
- We kept in contact with the member’s
administration staff to ensure the communications to patients went smoothly. They
reported the practice received a high volume of phone calls to their office
enquiring about the notice, since many patients thought it was a scam.
- Despite notifying thousands of patients, the
member received only one complaint from a patient after he was notified of the
data breach, followed by a request to delete his records. We assisted the
member by preparing a letter in response, which clarified that further
investigation revealed he was not affected by the breach. We also confirmed
that the member would not be able to delete his records, given that a doctor
has a legislative obligation to retain medical records for at least 7 years,
according to the Health Records Act 2001. The member did not hear from
the patient again.
- Acting on behalf of the member, we submitted the
NDB form to the Office of the Australian Information Commissioner (OAIC) via
their online portal. We responded to the OAIC’s enquiries and kept them updated
on where the member was at with informing patients of the data breach, as well
as shared copies of what was communicated with patients.
Prevention through good IT security is crucial. However, in
the event of a security breach where patients’ private information is
compromised, it is important to be demonstrably proactive.
The member took swift action and notified the OAIC shortly
after the data breach. Taking timely steps is a very important takeout as it
assists in ensuring the eligible data breach can be assessed and managed
promptly. It also ensures the member meets his obligations under the Privacy
Act, and that affected individuals are notified within 30 days of the data
It’s equally important to address patient complaints.
Although the matter was closed by the OAIC, if a patient has concerns regarding
the data breach, they may contact the member at any time to discuss their
concerns and can still make a complaint to the OAIC. The OAIC will decide
whether to investigate the complaint and may refer to the information obtained
during its preliminary inquiries.