Personal data found on recycled hard drives
Internal emails and attachments from a government medical facility that list personal contact details for medical staff have been found on randomly selected recycled hard drives in Australia.
The Australian branch of the US National Association for Information Destruction (NAID), an industry group representing information destruction companies, recently commissioned forensic investigation firm Insight Intelligence to do a two-month study of recycled computers to highlight the potential for data breaches by not erasing hard drives correctly.
Last year, the organisation commissioned a similar study that found information that identified patients and results from blood tests in a rubbish bin outside a doctor's office.
The new study involved randomly buying second-hand hard drives from a number of sources, including eBay. Of the 52 hard drives purchased, 15 contained confidential personal information, including five from a government medical facility.
A spokesperson for NAID-ANZ said there had been attempts to delete the data from the medical facility but these had not been very effective.
“The material included detailed information about the facility's funding, lists of personal contact details for doctors and complete mail boxes from various employees,” the spokesperson said.
Other organisations that have a legal obligation to protect the public's information under the Privacy Act but which also left information on hard drives included law firms operating in Victoria and Queensland and a community centre.
NAID CEO Bob Johnson said the study was a simple one and did not require a great deal of technical knowledge to find personal data still stored on second-hand computers.
“While it might be tempting to dismiss these results given the sample size, it is actually very disturbing,” Mr Johnson said.
“When you consider that the Australian Bureau of Statistics most recent estimates put the number of computers retired annually at over 15 million, the likely amount of private data put at risk in this manner is staggering.”
Insight Intelligence MD Mario Bekes said where personal information was found, there were signs that someone had attempted to remove the information but failed to effectively do so.
Mr Bekes said proper removal of data from computer hard drives requires more than just pressing the delete button.
“Even if they try to do it properly, private individuals and businesses take a big risk by attempting to erase hard drives themselves,” he said. “It is not really a do-it-yourself project.”
NAID recommends that medical practices and organisations take the following steps:
- Encrypt all personal client/customer/competitive information stored on IT assets
- Track all IT assets from the time they are acquired until the time of their ultimate disposal. IT equipment that cannot be accounted for technically should be treated as a reportable data breach
- Deploy physical locking devices to secure all electronic equipment, and develop specific security policies on mobile equipment
- Avoid using unsecure network connections
- Make sure updates and patches are applied to the equipment regularly
- Use a qualified third party to properly destroy data on retired IT assets, and be able to demonstrate that due diligence was applied to the vendor selection process
- Develop written policies and procedure related to all data protection matters, and train all employees and hold them accountable for compliance.
Revisions to the Privacy Act coming in next month mean the Australian Privacy Commissioner has increased powers to enforce laws and exact penalties for any breaches.
The new privacy laws bring together the former Information Privacy Principles, which covered the public sector, and the National Privacy Principles, covering the private sector, into one group of 13 Australian Privacy Principles (APP), which apply to all health service providers.
Businesses will be required to provide a written statement on their privacy policies. There are specific exemptions for healthcare provision outline in the new act (pdf).
While an expected amendment to the new laws to establish mandatory data breach notification rules did not have time to be debated before the change of government last year, it is still on the cards. The Office of the Australian Information Commissioner (OAIC) has recommended that any amendment follow the data breach notification requirements of the PCEHR Act.
Posted in Australian eHealth