Australia: Sensitive personal data of hundreds of visa applicants accidentally leaked in email mishap - PressFrom - Australia
  •   
  •   

AustraliaSensitive personal data of hundreds of visa applicants accidentally leaked in email mishap

22:06  14 august  2019
22:06  14 august  2019 Source:   abc.net.au

Visa Checkout to shut down in 2020

Visa Checkout to shut down in 2020 Visa is completely rehauling its online payment system to add more security. 

Personal health information of 317 people applying for Australian visas was accidentally emailed to a member of the general public, an ABC investigation has revealed.

Sensitive personal data of hundreds of visa applicants accidentally leaked in email mishap© ABC News/ Nic MacBean Bupa is the largest health insurer in Australia. The security bungle occurred when a spreadsheet was sent by mistake to an unknown individual's email address, because of a typo.

The privacy breach, which happened in 2015, occurred under the watch of Australia's largest health insurance company, Bupa, and one of its subcontractors, Sonic HealthPlus (SHP).

Bupa is contracted by the Department of Home Affairs to assess the health of people applying for visas and permanent residency in Australia.

'Remorseful' footy star avoids suspension over leaked Mad Monday photos showing him holding a bag of white powder - as he's slapped with a $17,500 fine

'Remorseful' footy star avoids suspension over leaked Mad Monday photos showing him holding a bag of white powder - as he's slapped with a $17,500 fine Lane has been in the headlines all week after an image emerged of him holding a plastic with a white substance, believed to be taken last year while he was at Manly. © Provided by Associated Newspapers Limited Shaun Lane (pictured on the night in question) has escaped suspension but will be $17,500 poorer after Parramatta fined the forward over a leaked Mad Monday photo 'Shaun has accepted responsibility and demonstrated genuine remorse for his actions,' the Eels said. 'The club is working closely with him to ensure he has a clear understanding of the club's professional standards.

Documents obtained under a Freedom of Information request by the ABC reveal that in August 2015, an SHP employee accidentally sent the names, dates of birth, and passport numbers of 317 people, along with "brief notes, summaries and comments about the status of the medical tests being conducted" to an unknown Gmail address.

An Oregon man who accidentally threw $23,000 into a recycling bin has been reunited with his cash

An Oregon man who accidentally threw $23,000 into a recycling bin has been reunited with his cash The man from Ashland, Oregon, had realized he put the shoebox full of money into his recycling bin after it had already been emptied on to a truck.

It was a mistake that would eventually lead Google Australia to intervene.

The privacy breach follows a 2014 incident in which the Immigration Department accidentally published the names, gender, and boat arrival dates of 10,000 adults and children in Australian immigration detention.

Bupa has also struggled with data security in the past. In 2017, the information of an estimated 20,000 Australians was compromised when a Bupa employee in the UK was found to have on the dark web.

Bruce Baer Arnold, a privacy and health law expert from the University of Canberra, said the latest privacy breach was "deeply concerning".

"With this one, I'm just speechless," Dr Baer Arnold said.

"The idea that we have an inadequately-supervised subcontractor using something like Gmail to transfer sensitive, personal health information is utterly appalling."

In a statement to the ABC, the Department of Home Affairs said the matter was immediately brought to their attention and fully investigated.

Loopholes in cashless welfare scheme allowing access to alcohol, cigarettes and cash

Loopholes in cashless welfare scheme allowing access to alcohol, cigarettes and cash Some welfare recipients forced onto Centrelink's cashless card schemes are using gift cards to skirt government-imposed spending restrictions on alcohol, drugs and cigarettes. Last week a message was circulated among Wesfarmers employees warning department store workers that some Cashless Debit Card or BasicsCard holders were buying multiple Vanilla Visa gift cards at self-service checkouts.

"The document contained bio-data details of visa applicants. No actual personal client medical records were disclosed as part of this incident."

The department said it was satisfied Bupa, and all of its subcontractors, currently only use systems that comply with the government's data security protocols.

Contractors can be a security vulnerability

Following the freshly revealed 2015 privacy breach, the then-Department of Immigration and Border Protection discovered that subcontractor SHP was removing the data of visa applicants from "authorised departmental health systems" and creating status reports in the form of Excel spreadsheets to send to Bupa.

The information was being extracted and shared in this way between SHP and Bupa against the department's policies and without its knowledge.

It led the department's Chief Medical Officer to write to the managing director of Bupa to inform him the company had "failed to comply" with the privacy obligations set out in its contract with the Federal Government.

The matter was referred to the Office of the Australian Information Commissioner.

Circus stunt rider recalls moment he almost died

Circus stunt rider recalls moment he almost died A motorbike stunt rider has spoken for the first time about the circus act mishap that almost cost him his life, and his painstaking road to recovery. Adelaide motorcycle stunt rider Bentang Sejarah had performed the jump that went horribly wrong, many times before. Shattering his body and very nearly killing him. The 27- year-old, who broke his back and neck, told 9News his determination to perform again hasn't faded. © 9News A motorbike stunt rider has spoken for the first time about the circus act mishap that almost cost him his life. "I honestly don't think I would be here," Mr Sejarah said.

Following the privacy breach, SHP and Bupa made several attempts to recall the email.

Bupa eventually went to the extent of contacting Google Australia, five weeks after the incident, to try and get the email back. Google agreed to remove the email from the receiver's inbox after notifying them.

Seventy days after the breach, on 16 October 2015, the department contacted the people whose information had been disclosed.

"A routine report prepared by a SHP temporary employee was sent to a SHP clinical officer for clearance," stated the letter, which was later published on the Migration Alliance website.

"The SHP clinical officer inadvertently mistyped the Gmail address of one of the intended recipients, and as a result, the report was sent to an email account … the identity of the recipient unknown."

The department instructed Bupa to undertake an immediate review of all policies and procedures related to the security of personal information handled by Bupa and its subcontractors.

"Bupa acknowledges that the process used to share the document containing the data was outside of the authorised departmental health systems," a spokesperson said.

"We know the importance of responsibly managing private data and took immediate actions at the time to address the matter."

Twitter may have shared your data with ad partners without consent

Twitter may have shared your data with ad partners without consent Data collected without your permission may include information about ads you engaged with and assumptions about devices you use.

The spokesperson said Bupa had since improved its data security practices, and introduced mandatory privacy training for employees dealing with visa health assessments, and an audit program to assess subcontractors' security practices.

More transparency needed

Dr Baer Arnold said incidents like this made it difficult for Australians to trust the government with their personal information.

He said private contractors were increasingly getting access to government data but that there was little transparency around the data security practices of those contractors or their subcontractors.

"I think it's extremely likely that there have been other problems, we just haven't heard about them," he said.

"We're increasingly relying on agents in the private sector to do work for government and many of those agents clearly are just not up to it.

"If this information is not encrypted, if it's being shared by badly-supervised subcontractors using a Gmail address, we're not up to speed. We need to do something about it."

Dr Baer Arnold said security standards had to be a priority whenever the government awarded contracts that would allow private service providers access to sensitive personal data.

"Is this something we should bear in mind when we give contracts, sometimes very profitable contracts, to entities such as Bupa?" he said.

"If they're not up to speed, we shouldn't be rewarding them by encouraging bad practice."

Bupa has the contract to provide immigration health assessments and medical services for the government until 2021.

Surgery mishap: False teeth stuck in throat for eight days

Surgery mishap: False teeth stuck in throat for eight days A report said this was not the first case of dentures being inhaled while anaesthetic was administered. It said: "There are no set national guidelines on how dentures should be managed during anaesthesia. "But it is known that leaving dentures in during bag-mask ventilation allows for a better seal during induction, and therefore, many hospitals allow dentures to be removed immediately before intubation, as long as this is clearly documented".

"The government should be reasonably expected to have proper supervision of its contractor and by extension subcontractors," Dr Baer Arnold said.

Who was affected?

Immigration medical assessments, carried out by Bupa and its subcontractors, are required for certain visa applications and for people applying for permanent residency in Australia.

How Home Affairs made millions by rejecting foreign workers

How Home Affairs made millions by rejecting foreign workers The visa scheme that essentially gave Home Affairs a licence to print money.

The purpose is to protect the Australian community from public health risks, but also to assess whether applicants are likely to impose a significant burden on the public health system.

Australia asks for a considerable amount of information from its visa applicants, according to Sarah Dale, principal solicitor at the Refugee Advice and Casework Service.

"People sign an agreement at the beginning of that process with the department that they will provide full and frank information and that they're going to have to go through health checks," she said.

"But a condition of that is the department is going to have to keep that information safe."

Ms Dale said health information was highly sensitive, and in some cases, its unauthorised disclosure could endanger the safety of applicants or their families in their country of origin.

While that was unlikely to have occurred in this instance, she said the department had still failed to live up to its end of the bargain with visa applicants.

"People were told to trust a system; people were told to engage with a system on the basis that their information was safe," Ms Dale said.

"At the end of the day: it was not."

In a statement, Sonic HealthPlus said the 2015 privacy breach was an isolated incident and swift action was taken "to rectify the situation and notify all affected parties".

The documents obtained by the ABC also revealed that in 2016, three laptops used by another government contractor were stolen at the Republic of Nauru Hospital.

At the time, the contractor provided emergency medical support to refugees, asylum seekers and Nauruan nationals. The contractor did not use passwords to secure the laptops.

A spokesperson said the department understands no personal information was stored on the laptops at the time of the theft, and the contractor undertook a password and security audit.

How Home Affairs made millions by rejecting foreign workers.
The visa scheme that essentially gave Home Affairs a licence to print money.

—   Share news in the SOC. Networks

Topical videos:

usr: 22
This is interesting!