Australians learned the scale of two major health data breaches this week, with some patients' personal information — including credit card details and test results — posted to the dark web.
On Thursday, pathology company Australian Clinical Labs revealed its subsidiary Medlab, which carries out COVID-19 testing and other services, had been hacked eight months ago — but the company is only now letting people know.
Earlier this week, Medibank Private revealed criminals had accessed the data of at least 4 million customers, including their health claims.
But why are criminals going after our health information, and what value do they see in it?
Why are criminals targeting healthcare?
The motive behind the Optus breach was clear enough, but what criminals hope to exploit from our health data is less so, says Peter Lewis, director of the Centre for Responsible Technology, whose data was accessed in both the telco and Medibank Private breaches.
The Optus hack exposed the data of almost 10 million Australians, including drivers license and passport numbers.
But the information accessed in the Medibank and Medlab hacks is more personal, and includes test results and diagnostic details.
Medlab says some patient data has been released on the dark web.
Mr Lewis says health sector hackers may be out to blackmail people, damage the companies’ reputations, or sell on the vast pools of data to other criminals
"There is the sense that they may try and blackmail people," he says.
"There is sensitive information out there, but I don’t know if that’s the game.
"The second is to do damage to the organisation that they’ve hacked so it is potentially for more damaging to Medibank than it is to any individual.
"But thirdly, it is true that they’ve captured that entire base of health information; maybe they’ll ... try to find ways to make value out of big pools of data."
Identity theft is still the biggest risk for people whose health data has been hacked, but the intimacy of health information could also open some people up to blackmail if it were released — or make them less open with healthcare professionals, says Dr Rob Hosking, who chairs the Royal Australian College of General Practitioners' technology committee.
Most cyber attacks up to now have been ransomware, which block patient care but don't access their information, he says.
But he believes attacks on Medibank and Medlab are something new.
"I think it is a shift in activity by the criminals, whether it's going to be a sustained shift, or only a shift which we've seen with these most recent cases [is unclear]," he explains.
The increase in remote working and telehealth through COVID has also opened up potential vulnerabilities in the system, Dr Hosking says.
"Nobody wants their personal, private information exposed to the public and that’s one of the risks we run with using the benefits of the internet for other things, for remote access, for transfer of information about people’s health and doing things in a much more timely fashion.
"The worrying thing here is that it [health breaches] creates mistrust if people are fearful of divulging information to their practitioners; that means they may not get the care that they deserve."
What can you tell from a blood test? Or a health claim?
Health claims are not as comprehensive as our conversations with our GPs, but they do "contain traces" of that highly personal information, cyber expert Bernard Robertson-Dunn warns.
As well as Medicare numbers, addresses and phone numbers, Medibank says hackers also accessed some claims data, including where the medical service was, and codes related to their diagnosis and procedures.
MedLab is one of the country's largest pathology companies, and does immunology, blood and COVID tests, as well as other services.
The breach affected 223,000 people, including 17,539 individual medical and health records associated with pathology tests.
"Some of these individuals might have absolutely nothing in their health records, other people might have problems that are embarrassing," he says.
"So it depends on the individual, but the level of detail that can be in a health record is the most comprehensive of any data."
In its statement on Thursday, ACL said it had been analysing the data downloaded from the dark web to figure out who it belonged to so it could tell them.
What needs to be done to keep data safe?
Data is like uranium — it's dangerous to hold onto, and difficult to dispose of, says Mr Lewis.
"The starting point, particularly with health information, has to be that the minimal amount is collected and it is as de-identified.
"It’s clearly for a lot of people been quite confronting to think very personal parts of themselves are in the hands of people who are trying clearly to exploit that," he says.
"We’ve got to expect our policy makers to be bold with the guardrails and red lines they put in place," he adds.
Mr Lewis wants governments to "minimise" what data they expect organisations to collect.
He also wants the government to go beyond penalising organisations, and give recourse to people whose data has been breached.
Dr Robertson-Dunn says medical information is expensive and difficult to manage, and it can be hard to know what should be kept, and what can be binned.
He says we need to re-evaluate what has to be held onto.
"The government and organisations need to get more serious about the security of the data that they keep," he says.
"They need to question if they need all of it, if it all needs to be online. If you change GP should the old GP keep your records? There’s probably an argument that maybe they should, but it is a risk.
"Curating health data is not easy because how do you know what you might need in the future?"