Welcome back. This week, we continue our look into incident response. I thought this week we would cover some common questions about cyber incidents, including:
– What to do if you have a breach.
– If the worst case occurs, how to make a report and ensure you inform the proper authorities, including ADHA and other government functions.
My Pharmacy Holds Personal Health Information; What Are My Responsibilities If I am Breached?
Suppose you hold personally identifiable information (PII) and personal health information (PHI) and experience a data breach in Australia. In that case, you have several responsibilities under the Privacy Act 1988 and the Australian Privacy Principles (APPs). Some of these responsibilities include:
Failure to comply with these obligations can result in significant fines, penalties, and reputational damage. In addition to these legal obligations, it is also imperative to prioritise the protection of PII and PHI through robust security measures and ongoing monitoring and review of your data protection practices.
Who Do I Need to Report a Breach to?
If you have experienced a cyber breach, you can make a report to the following organisations:
It’s important to report cyber breaches or incidents as soon as possible to help prevent further damage and to increase the chances of identifying and prosecuting the perpetrators.
What About My Obligations Under My Health Records?
As a pharmacy owner in Australia, the My Health Records Act 2012 (Cth) outlines several responsibilities that you have concerning the Australian government’s My Health Record system. Some of these responsibilities relating to an incident include:
1. Privacy and security: You must comply with the My Health Records Act 2012 and the Australian Privacy Principles when handling PHI in the My Health Record system. This includes implementing appropriate privacy and security controls to protect the confidentiality and integrity of PHI.
2. Reporting: You must report any data breaches or unauthorised access to PHI in the My Health Record system to the Office of the Australian Information Commissioner and the Australian Digital Health Agency.
What Are The Penalties For Not Complying With The Rules?
Under the Notifiable Data Breaches (NDB) scheme in Australia, if an organisation experiences a data breach that is likely to result in serious harm to any individuals whose personal information is involved, they are required to report the breach to the Office of the Australian Information Commissioner (OAIC) and notify affected individuals as soon as practicable.
The penalties for not reporting a cyber privacy breach in Australia can include the following:
1. Civil penalties: The OAIC can seek civil penalties for serious or repeated breaches of the NDB scheme. The maximum penalty for a serious or repeated breach of the NDB scheme is 10 million Australian dollars (AUD) for a body corporate or 2 million AUD for an individual.
The My Health Records Act 2012 (Cth) outlines penalties for non-compliance with the Act, including fines and potential criminal charges. The specific penalties and consequences for non-compliance are as follows:
1. Criminal penalties: The My Health Records Act 2012 provides criminal penalties for certain offences. For example, it is an offence to intentionally access or disclose PHI in the My Health Record system without authorisation, with a maximum penalty of 2 years imprisonment for an individual or 10 years imprisonment for a corporate body.
2. Civil penalties: The My Health Records Act 2012 provides for civil penalties for certain breaches of the Act. For example, suppose a healthcare provider fails to obtain an individual’s consent before uploading their personal health information (PHI) to the My Health Record system. In that case, they may be liable for a civil penalty of up to 5,000 penalty units (currently $1.11 million) for a corporate body or 1,000 penalty units (now $222,000) for an individual.
Alongside the financial and legal penalties, the following impacts may also apply to your business:
1. Reputational damage: Non-compliance with the My Health Records Act 2012 can also damage your pharmacy’s reputation, potentially impacting customer trust and loyalty.
2. Loss of business: In addition to the above penalties, non-compliance with the Act can also result in loss of business and revenue if customers choose to take their business elsewhere due to privacy and data protection concerns.
If you are worried about the security of your pharmacy systems and want to know how you can implement strong security in your pharmacy and protect yourself from ransomware, speak to your Corum Customer Success Manager or contact us on 1300 669 865.