There is clamour about the need to do better at protecting people’s information, make sure we have robust systems, closely monitor cyber security measures, and help people understand the importance of all this.
But it does not take long before the snooze button is hit, and everyone carries on much as before.
There might be an inquiry into the latest scandal, but by the time that produces a report, interest in the subject has waned and little attention is paid to whatever recommendations are made.
Will it be different with the Manage My Health saga, which so far has been a master class in how not to deal with a cyber security breach involving people’s sensitive information?
The signs are not encouraging.
The government’s initial reaction to the news up to 127,000 people may have had their personal health information illegally accessed was to express concern but lay the responsibility squarely at the door of the privately owned Manage My Health.
On the face of it that might have looked fair enough.
This is the country’s biggest patient online portal provider, where patients can communicate with their healthcare providers including to schedule appointments, request repeat prescriptions, receive laboratory results, and share clinical notes.
It is the responsibility of MMH to ensure security.
But there is more to it than that. The development of patient portals, something many patients and healthcare providers find immensely useful, has been promoted by successive governments, including the provision of some direct funding.
Even though the privacy commissioner was alerted six months ago to the security risk to the platform, apparently this merely resulted in MMH investigating some accounts and adding extra protections to those accounts. The company fell short of offering protection to all users, even though that had been suggested by the privacy watchdog.
This highlights the ineffectiveness of our privacy regime.
So far, there is no noise from the government which suggests much will change.
After almost a week, Health Minister Simeon Brown announced a review of the cyber security breach. Its focus will be on assessing the cause, looking at the data protections in place and the response to the incident and recommend any improvements required to prevent similar incidents occurring.
Expected to start by the end of the month, it will no doubt extend for several months, by which time election year will be in full swing and there will be myriad other issues occupying the news cycle.
It is not as if the government has not known about these risks.
Privacy commissioner Michael Webster has repeatedly pointed out the shortcomings of the current privacy regime, including in his briefing to incoming Justice Minister Paul Goldsmith in 2023.
In that he drew attention to the ineffectiveness of maximum $10,000 fines as an incentive to comply with the law.
He pointed out in 2022 Australia strengthened its civil penalty regime so a serious or repeated interference with privacy had a maximum penalty of a $A50 million ($NZ58.3m) or three times the value of the benefit obtained directly or indirectly.
The briefing also told Mr Goldsmith the office did not have enough funding to forensically investigate privacy breaches involving complex cyber-attacks which were increasingly common and concerning.
In the case of the huge Latitude Financial breach in which millions of Australian and New Zealanders’ information was exposed, including drivers’ licences, passports and sensitive financial data, it has been able to work jointly with the Office of the Australian Information Commissioner. Almost three years on from the breach, that work is not yet complete.
In the wake of the MMH saga, it is time for the government to stop looking the other way and pretending the hands-off, high-trust approach to privacy will ever work.
The announcement of a comprehensive review of the Privacy Act, including allowIng for the imposition of significant fines on those who continue to thumb their nose at their privacy obligations, would be a start.
