What to do in the event of a cyber attack: Part 1

Many of us have been on the receiving end of spam calls from the ‘tax office’ or perhaps been the recipient of fake text messages advising us that our ‘parcel is ready for collection’. We know all too well that one false click can lead to a virus. But let’s go further and reflect on the clinic or practice you work at. What would your team do in the event of a cyber attack?

Notify those who need to know

The all important starting point is to notify those who need to know. You must notify your clients if your system is hacked, attacked or compromised in any way. If you don’t do this, you risk facing significant fines for non-compliance. The general idea behind this zero-tolerance approach is that once your clients are notified it empowers them to take necessary steps to protect their identity. Whereas if you don’t tell them, you restrict their opportunity to take these steps.

Be responsive

Timing is crucial. The longer you wait, the higher the likelihood that your clients may learn about this attack from another source, which can really damage your clinic’s reputation.

This all falls within the broader context of the Notifiable Data Breaches Scheme (NBD), which came into effect on 22 February 2018 and it pays to be familiar with this scheme. As previously stated, its rules apply to all agencies and organisations that are covered by the Australian Privacy Act 1988 (Cth). Regardless of turnover, the Privacy Act covers any business that is:

a health service provider
trading in personal information
a contractor that provides services under a Commonwealth contract
an operator of a residential tenancy database
a credit reporting body.

What the NDB says

When a data breach occurs, the NDB states that your priority as a business is to contain the breach and take remedial action. If your corrective action fails to mitigate the risk of serious harm, you must notify the Commissioner and the affected individuals.

Did you know?

Healthcare businesses are valuable targets because they hold sensitive personal information and credit card details – worth up to four times more to a cyber criminal than a simple ransom demand. In 2019, Australia’s health sector accounted for 22 per cent of all data breaches, making it the highest reporting sector in the country.

Steps you can take

So with all that in mind, here’s what you can do in the event of a cyber attack. As always, please seek professional advice in the event this happens to you.

The Office of the Australian Information Commissioner (OAIC) has an online form that can be used to prepare a statement to the Commissioner about the breach.
When notifying clients, you can stick to your standard form of communication whether it be a letter, email, phone or online. The notification must include the type of breach, the personal information affected and advice about what they should do. Other tips you may want to include are to:
- Advise clients on what steps to take to remediate their affected identity or protect themselves. Offer avenues of support, such as a helpline or a micro-website.
- Ensure your client communication contains contact details of credit reporting bodies such as Equifax so they can put an alert or ban on their credit file.
- Consider guiding clients towards credit monitoring plans such as Your Credit & Identity which can give clients an early heads up on potential identity theft.
- Provide clients with the details of an identity remediation partner. For example, IDCARE is a not-for-profit charity who can work with your clients to go through any necessary mitigation steps.
Prepare your staff on how to field client questions about the breach. Bear in mind that your clients may be significantly inconvenienced by this breach so ensure your team is responsive to their frustrations and empathises with the potential time and effort involved on your client’s part.

Next month: We look at the three criteria behind when a data breach is notifiable, what is considered ‘personal information’, and who is responsible if you’re using a third party.

Additional resources

BMS Group’s Cyber Liability Insurance can be purchased alongside your membership. For example, after an attack, Cyber Insurance will cover the following costs:
- Third party claims against you
- Business interruption and costs to restore your data
- Notifying your customers and employees of the breach.
Contact BMS via phone or email to learn more about Cyber Liability Insurance: podiatry@bmsgroup.com | 1800 514 933 or proceed to the online purchase process, found here.
Australian Government’s STAY SMART ONLINE has tools on how to protect your business and free alerts.
Digital health agency offers cyber security training and resources to directly assist healthcare providers.
Equifax’s has a range of credit and identity products.
Our website contains useful tips and insights.

BMS Risk Solutions Pty Ltd AFSL 461594, ABN 45161187980 issues the Cyber Liability Insurance under a binder agreement with Certain underwriters at Lloyds. Consider the Product Disclosure Statement and Financial Services Guide before making any decisions about this policy. This material provides general advice only. BMS acts as agent of the insurer and not as your agent.