The personal details of more than 1000 participants in Australia’s biggest skin cancer study are feared to have been compromised in a previously undisclosed cybersecurity breach last November.
QIMR Berghofer says the breach potentially exposed the names, addresses and Medicare numbers of 1128 people involved in the QSkin Study although it says no clinical information has been compromised.
The institute says it contacted affected participants after becoming aware of the breach last November, but did not issue a public statement until it was revealed in an ABC report (link here) on Monday.
“A national data processing company widely used by government, universities and businesses notified QIMR Berghofer in November 2022 that a study conducted by the Institute had been compromised in a cyber-security breach,” it said.
“The company, Datatime, has provided very little information to the institute regarding the breach.”
Established in 2011, QSkin is described by QIMR as the largest study of skin cancer ever conducted, involving more than 40,000 Queenslanders who have provided saliva samples as well as survey data on their medical history and sun exposure over the past decade.
According to QIMR, only those who took part in the 2021 round of the study were impacted by the breach, with Datatime only holding the names, addresses and Medicare numbers of participants.
No other information, including genetic or other clinical data, was involved or held by Datatime, the institute said.
It is not the first time QIMR Berghofer has been impacted by third party data breaches, with the institute announcing it had been exposed in a hack of a file sharing system called Accellion three years ago.
At the time, it said preliminary investigations had indicated that not personally identifying information belonging to members of the public had been compromised, although some de-identified information may have been collected by the hackers.
The latest incident has raised alarm bells with cyber security experts.
Data breach researcher Professor Jane Andrew from the University of Sydney said the hack highlighted the need for new laws as there was currently no legal requirement to publicly disclose a hack.
“I think all organisations who are engaged in or have an event that is deemed to be harmful, potentially harmful or likely to cause harm, that they should make a public announcement,” she told the ABC.
“I do think it means that if you then are about to make a decision as to whether you, in this case, engage with this research institute in the future, you actually understand the risks properly.”
QIMR said it was strengthening its policies for accrediting external IT providers in response to the hack, although it said Datatime was ISO certified and widely used by governments, universities and businesses.
It also stressed it had notified the Federal Government of the breach and had followed protocols laid down by Office of the Information Commissioner Queensland in contacting affected participants.
“We are extremely sorry that participants of this study have been impacted by the third-party data breach. QIMR Berghofer takes these matters very seriously, which is why we only engage highly credentialed data processing entities such as Datatime,” a spokesperson said.
“Security measures such as coding and separating responses to ensure confidentiality are typically used.”