Unauthorized Health Data Access Exposed in Victorian Government Breach
A serious data breach has been uncovered at the Victorian Department of Health and Human Services (DHHS). A former employee of a contracted service provider (CSP) accessed personal data without authorization for over a year. The Office of the Victorian Information Commissioner has issued recommendations to prevent such incidents in the future.
The breach, discovered in October 2018, involved unauthorized access to the Client Relationship Information System for Service Providers (CRISSP) between September 2017 and October 2018. The employee, who had left the CSP, was still able to access the system, which contains sensitive information such as names, addresses, dates of birth, and alerts.
The investigation found two main causes: failure to terminate the employee's access after they left, and the absence of in-built backup procedures to raise an alert. The employee accessed CRISSP 260 times during this period. Both the DHHS and the CSP have accepted the recommendations and agreed to implement changes to reduce the risk of similar breaches in the future.
The data breach highlights the importance of robust offboarding procedures and in-built security measures. Both the DHHS and the CSP have committed to implementing changes to protect sensitive data. No specific service provider has been identified in connection with this breach.
