First Contact Health reported the breach and the accompanying fraud threat to the Office of the Data Protection Authority after the incident in May 2024, and an inquiry was set in train after concerns were identified about the security it had in place.
The ODPA found that the company had not implemented sufficient security measures, particularly important given the access to health information, which is considered to be special category data. It sanctioned the company and has ordered it to upgrade its security processes.
It found that only an email and password were required to access the account, with no further protections or authentication.
The access to the email system went undetected for at least five months, and regular security audits were not carried out.
The ODPA found that the company had breached the data protection law and imposed an order requiring it to take several steps to improve security safeguards.
Further enforcement action could be used if the order is not complied with, but the authority praised First Contact for its approach towards the investigation so far.
‘When you are responsible for highly sensitive personal information such as clients’ health data, it is critical to engage elevated authentication measures to guard against cyber attacks,’ said data protection commissioner Brent Homan.
‘We appreciate First Contact Health’s cooperation with our investigation and are confident that with the additional measures adopted through the enforcement order, the security of its clients’ data has been strengthened.’
The ODPA said it highly recommended the use of multi-factor authentication on signing into accounts, the adoption of conditional access policies, including the registration of devices and geo-blocking of certain IP addresses, and better detection of suspicious authentication activity.
‘Security safeguards are a dynamic rather than static responsibility. Organisations must remain vigilant in an era of constantly evolving cyber threats,’ it said.
‘It is not enough for organisations to implement security measures and forget about them. Regular security audits or penetration tests must be undertaken to ensure that those measures are effective and to identify further measures that should be introduced.’
You need to be logged in to comment. If you had an account on our previous site, you can migrate your old account and comment profile to this site by visiting this page and entering the email address for your old account. We'll then send you an email with a link to follow to complete the process.