The personal information of more than half a million Australian blood donors has been leaked in a serious security breach at the Red Cross.
The hacked file is reportedly a back-up datasheet of submissions to a web-based contact form. Over 550,000 people who donated blood between 2010 and 2016 are on list, which also includes contact numbers and addresses.
The Australian Red Cross Blood Service held a press conference in Melbourne on Friday where chief executive Shelly Park explained the situation:
“We learned that a file, containing donor information, which was located on a development website, was left unsecured by a contracted third party who develops and maintains our website. The issue occurred due to human error. Consequently, this file was accessed by a person outside of our organization.”
The compromised archive file, which was online from Sept. 5 to Oct. 25, also includes the personal health details submitted by each individual into the inquiry form’s blood donor questionnaire. It’s this information that is most sensitive, such as whether the donor engaged in drug use, sex work, or gay sexual activity.
Red Cross was working with the cyber emergency response team and forensics experts at AusCERT to remove all known copies of the file, which was reportedly successful. Now, the forensics experts are attempting to trace who may have accessed and downloaded the archive before the vulnerability was realized. This kind of analysis is more time consuming and difficult.
Still, despite the third-party responsibility, it appears that the Red Cross is taking full responsibility for what has happened.
“We apologize, and we acknowledge that this is unacceptable,” Park said. “Our apology is unreserved. Donors have an expectation and a right to think that all of their information that they share with us is held accountably and responsibly.”
In context of health breaches, this is the biggest in Australia's history. As data-rich entities, healthcare organizations are prime targets for hacks and data breaches. A study released in May of this year indicated that 90 percent of all healthcare organizations had suffered a compromise in the last two years, costing them an average of $2.2 million on each occasion.
Those who were notified that they were on the Red Cross’ leaked file have been warned to remain vigilant to scams, online or offline, that may utilize their personal information in phishing attacks for fraudulent purposes.