Good response mitigates cyber attack impact
Sunday, 29 May 2022
A cyber attack on a doctor resulted in a privacy breach by the practice where thousands of patients’ private details were able to be accessed. This case provides a reminder to remain proactive about cyber security, at a time where attacks are becoming more sophisticated and difficult to detect.
The breach happened when a physician member became aware that his personal email account and mobile phone account was compromised in a SIM swap attack.
Innovative SIM cyber hack
A SIM swap attack is an increasingly common way to hack into someone’s account, in an age where a phone number is linked to their online footprint.
The attack happens when someone convinces your mobile carrier to switch your phone number over to a SIM card they own. By diverting your incoming messages, scammers can easily complete the text-based two-factor authentication checks that protect your most sensitive accounts.
As the cyber attacker had access to the email account and mobile number, they were able to reset the member’s passwords for some of his other online accounts, including his DropBox cloud storage account. As a result, they were able to access personal information of more than 2,000 patients.
The next day, the member took the following steps to remediate the situation:
- Added a PIN to his account to prevent the attacker from attempting another SIM swapping attack
- Reported the incident to the Australian Cyber Security Centre
- Moved his email hosting to a new domain name
- Enabled VIP authenticator for email access
- Enabled DUO authenticator for remote desktop gateway access
- Notified Avant of the incident under his practitioner indemnity policy
Taking the correct steps
With the help of Avant, the following steps were taken immediately after the breach:
- We provided the member with advice about his obligations pursuant to the Notifiable Data Breaches Scheme, provided a draft Notifiable Data Breach (NDB) form and drafted a notification for the member to send to patients informing them of the breach. This could be sent by post, SMS, or email.
- We kept in contact with the member’s administration staff to ensure the communications to patients went smoothly. They reported the practice received a high volume of phone calls to their office enquiring about the notice, since many patients thought it was a scam.
- Despite notifying thousands of patients, the member received only one complaint from a patient after he was notified of the data breach, followed by a request to delete his records. We assisted the member by preparing a letter in response, which clarified that further investigation revealed he was not affected by the breach. We also confirmed that the member would not be able to delete his records, given that a doctor has a legislative obligation to retain medical records for at least 7 years, according to the Health Records Act 2001. The member did not hear from the patient again.
- Acting on behalf of the member, we submitted the NDB form to the Office of the Australian Information Commissioner (OAIC) via their online portal. We responded to the OAIC’s enquiries and kept them updated on where the member was at with informing patients of the data breach, as well as shared copies of what was communicated with patients.
Prevention through good IT security is crucial. However, in the event of a security breach where patients’ private information is compromised, it is important to be demonstrably proactive.
The member took swift action and notified the OAIC shortly after the data breach. Taking timely steps is a very important takeout as it assists in ensuring the eligible data breach can be assessed and managed promptly. It also ensures the member meets his obligations under the Privacy Act, and that affected individuals are notified within 30 days of the data breach.
It’s equally important to address patient complaints. Although the matter was closed by the OAIC, if a patient has concerns regarding the data breach, they may contact the member at any time to discuss their concerns and can still make a complaint to the OAIC. The OAIC will decide whether to investigate the complaint and may refer to the information obtained during its preliminary inquiries.
- Avant: Cyber security - What you need to know
- Avant eLearning: Cyber and privacy
- Australian Cyber Security Centre
- Business.gov.au: Useful cyber security resources
- Office of the Australian Information Commissioner: What is a notifiable breach?
- RACGP: Information security
- Avant: Cyber insurance
The case discussed in this article is based on a real case. Certain information has been de-identified to preserve privacy and confidentiality.
IMPORTANT: This publication is not comprehensive and does not constitute legal or medical advice. You should seek legal or other professional advice before relying on any content, and practise proper clinical decision making with regard to the individual circumstances. Persons implementing any recommendations contained in this publication must exercise their own independent skill or judgement or seek appropriate professional advice relevant to their own particular practice. Compliance with any recommendations will not in any way guarantee discharge of the duty of care owed to patients and others coming into contact with the health professional or practice. Avant is not responsible to you or anyone else for any loss suffered in connection with the use of this information. Information is only current at the date initially published.