A cybersecurity expert has called on the Tasmanian Government to replace its ambulance communication technology to prevent future breaches of confidential patient information.
Key points:
- A Queensland-based expert says it is difficult to protect information communication via radio
- He says it is impossible to know how many people have accessed leaked data
- The Shadow ICT Minister says the breach is a “betrayal of Tasmanian’s trust”
It was revealed on Friday the private details of every Tasmanian who had called an ambulance since November last year had been published by a third party to a list online that was still updating each time paramedics were dispatched.
The unencrypted information came from pagers being used by paramedics.
Darren Hopkins, a partner at McGrathNicol — a national company which advises governments and businesses on cybersecurity risks — said it was very difficult to protect sensitive data on radio because it was such old technology.
Mr Hopkins said replacement technology would be needed because while pagers work well in remote areas, it was very complicated to encrypt the information being transmitted by them.
“When you find an issue with the technology you’re using, you research and find an alternative and implement it as soon as you can,” he said.
He said governments across the country struggled with this issue, with a similar incident happening in Victoria in 2014, but most data breaches were internet-based, not radio-based like this one was.
“They’ve taken what was radio data, converted it into text-readable data and published it online, and that’s particularly concerning because anyone could have captured and have a copy of that information by now,” he said.
Mr Hopkins said because the website was not run by a corporate entity, it was pretty much impossible to know who has accessed the information and when.
He said it was vital important information was not easily accessible.
“Just don’t make it publicly available, just encrypt it … it’s a fundamental concept of most security to be honest.”
Tasmanians’ private information ‘no longer secure’
The Government has been criticised for years about its lack of investment in information and communications technology (ICT), including by industry professionals.
Shadow Minister for ICT Michelle O’Byrne slammed the Government’s response so far, saying simply referring the matter to police did not address the years of inaction on data protection.
She said the Government had been warned repeatedly information stored in the Department of Health and Human Services was particularly vulnerable, with auditor-general reports in 2015 and 2018 and 2019.
“This Government has failed to address a known risk about patient information, and while they’ve always promised to do something, have failed to do anything,” she said.
She said Tasmanians should be concerned about how safe their information was.
“If the Government is not able to keep their information safe now and can’t do anything about that information that’s been published now, then what safety and security and confidence can we have that our information will be secure into the future?” she said.
“The fact that you can access this data so easily is an absolute betrayal of Tasmanians’ trust.”
Tasmania Police Assistant Commissioner Adrian Bodnar confirmed in a statement the matter had been referred to them for assessment.
“Tasmania Police has contacted the administrator of the site who has voluntarily removed it,” he said.
In a statement, Health Minister Sarah Courtney said the data breach was “extremely concerning” and Ambulance Tasmania was taking appropriate steps to address it.
“I understand it may be distressing for those affected and I can assure Tasmanians that the Government is taking all the necessary steps to protect the privacy of our patients,” she said.
“An internal review into the circumstances which led to the breach is underway.”
