Mediref in house process in the event of a data breach
As with any company handling sensitive information, Mediref has a process in place to address any detected breaches of privacy*. This process is in line and in accordance with the guidelines set out by the OAIC here.
Please note, this article covers the procedure followed by Mediref, in the event of a data breach that results from a technical flaw or a successful hack into our servers (there is no such thing as a 100% secure system). Mediref is periodically audited by third parties to ensure we are using best practice methods with regards to cyber security and data handling
For data breaches that occur as a result of a human error on the part of a Mediref user, where Mediref is the medium by which data was transmitted, the below does not apply. For such scenarios, Mediref has functionality in place to help Mediref users deal with the breach. Please read this for further details.
A data breach is described as an unauthorised access or disclosure of personal information, or loss of personal information. In the event that this happens, we are required to take reasonable steps to protect the personal information in question, and may be required to notify affected individuals (practices using Mediref and their recipients) and the Australian Information Commissioner (Commissioner) of a data breach under the NDB scheme.
The process that Mediref would undertake in the case of a breach is as follows:
- Identification and containment
The first step in responding to a data breach is to identify the scope of the breach and take steps to contain it. This may include disconnecting affected systems from the network, revoking access for compromised user accounts, or implementing other measures to prevent further access or spread of the data. - Notification and communication
The next step is to notify relevant parties, including affected individuals, regulatory bodies, law enforcement, and any other relevant stakeholders. Determine how the breach falls under the Notifiable Data Breaches (NDB) scheme to determine who needs to be notified. This includes evaluating the risks, including potential harm and the actions needed to remediate these risks. An excerpt from the OAIC :
The NDB scheme requires entities to notify individuals and the Commissioner about ‘eligible data breaches’. An eligible data breach occurs when the following criteria are met:- There is unauthorised access to or disclosure of personal information held by an entity (or information is lost in circumstances where unauthorised access or disclosure is likely to occur).
- This is likely to result in serious harm to any of the individuals to whom the information relates.
- The entity has been unable to prevent the likely risk of serious harm with remedial action.Individuals whose personal information is involved in a data breach may be at risk of serious harm, whether that is harm to their physical or mental well-being, financial loss, or damage to their reputation.Examples of harm include:
- Identity theft causing financial loss or emotional and psychological harm
- Family violence
- Physical harm or intimidation
- Financial fraud including unauthorised credit card transactions or credit fraud
Conduct a thorough investigation to determine the root cause of the breach and assess the impact on the organisation and affected individuals. This would involve gathering evidence, analyzing logs, and working with external experts or law enforcement.
Once the root cause of the breach has been identified, implement measures to address the issue and prevent future breaches.
After the response plan has been executed, review its effectiveness and identify areas for improvement. This may include updating the plan to reflect lessons learned, conducting additional training for employees, or implementing additional security controls.