NZ: Privacy breach on 9000 ACC claims (updated)
Phil Kitchin reports on a breach involving sensitive personal information in New Zealand:
Private details of more than 9000 ACC claims – some featuring well-known people – have been emailed to a person who should not have received them, in what is being described as one of the worst privacy breaches in New Zealand history.
The details included personal information on nearly 250 clients from ACC’s most secure unit – the sensitive claims unit. Full names, the nature of each claim and dispute, and individual claim numbers were among the information revealed.
For those who, like me, don’t recognize the acronym, ACC’s website describes them:
The Accident Compensation Corporation (ACC) provides comprehensive, no-fault personal injury cover for all New Zealand residents and visitors to New Zealand.
Not surprisingly, they issue press releases. But there has been no statement about this incident, despite having reportedly been alerted to it in December. According to Kitchin:
Senior management at ACC were told three months ago that they had possibly made the biggest privacy breach in New Zealand history, but they have made no effort to investigate or contain the breach with the recipient.
Some of the names in the huge files were public figures, the recipient said, and they also included victims of violent and sexual crimes. Without going through all the files, the recipient recognised at least 10 people on the lists.
The sensitive claims unit is a special unit containing ACC’s most sensitive claimants, including sexual abuse and rape victims.
Not only did ACC allegedly not investigate the breach nor notify those whose private details were exposed, but this was not a single breach/disclosure:
The same details also appear to have been sent to more than 50 ACC managers, most of them not from the sensitive claims unit, raising questions about the security of information supplied to the unit.
Personal information held by the unit is not supposed to be divulged to anyone outside the unit without the permission of the client.
New Zealand currently has no mandatory breach notification law.
So… what will it take to get New Zealand off the dime to require breach notification?
Read more on Stuff.
Update: There have been dozens of news reports on this breach since Kitchin’s article first appeared. The ACC has apologized for the breach. Significantly, media coverage now indicates that the compromised information was confined to names, record (claim) numbers and branches involved. No medical details were involved. So how bad was this breach really? It seems that all that would have been revealed is that someone had filed a claim with the sensitive claims unit. While I grant you that’s not a good thing, it certainly doesn’t sound as awful as the initial impressions.