Data Security Incident & Breach Reporting Policy

This policy sets out procedures for SurgicalPerformance in the event that we experience a data breach (or suspect that a data breach has occurred). A data breach occurs when personal information is lost or subjected to unauthorised access, modification, use or disclosure or other misuse.

SurgicalPerformance aims to comply with both Australian and American laws along with any appropriate international standards when it comes to security, privacy and data management. This includes the Australian Privacy Act 1988, the Health Insurance Portability and Accountability Act (HIPAA) and the the HITECH Act (Health Information Technology for Economic and Clinical Health Act) require rigorous processes for the proper handling of any security incident involving Protected Health Information (PHI) and timely reporting of any breach of unsecured PHI.

This policy supplements our Health Insurance Portability and Accountability Act (HIPAA, 1996) Policy and Data Protection Policy

Reporting

If a user suspect there has been a data breach, the user must promptly report it to SurgicalPerformance via email to: [email protected]

Users should report the time and date the suspected breach was discovered, the type of personal information involved, the cause and extent of the breach, and the context of the affected information and the breach.

Types of breaches that should be reported:

  • Any event in which access to data might have been gained by an unauthorised person
  • Any event in which a device containing (or may be containing) data has (or might have been) lost, stolen or infected with malicious software (viruses, trojans, etc.)
  • Any event in which an account belonging to a person that has access to the data might have been compromised or the password shared with an unauthorised person (responding to phishing emails, someone shoulder surfing and writing down the password, etc.)
  • Any attempt to physically enter or break into a secure area where data is or might be stored
  • Any other event in which data has been or might have been lost or stolen
  • Any other event in which data has been or might have been improperly used (e.g. used without the individual’s written authorisation if authorisation is required)

Response

On receiving a report of a data breach, SurgicalPerformance will immediately notify the Security Official and Development Team to review and form a Response Team.

The Response Team will determine if a data breach has occurred and undertake any immediate actions to contain the data breach if necessary.

There is no single method of responding to a data breach. Data breaches must be dealt with on a case-by-case basis, by undertaking an assessment of the risks involved, and using that risk assessment to decide the appropriate course of action.

There are four key steps to consider when responding to a breach or suspected breach.

  1. 1.Contain the breach and do a preliminary assessment
  2. 2.Evaluate the risks associated with the breach
  3. 3.Notification
  4. 4.Prevent future breaches

The response team should ideally undertake steps 1, 2 and 3 either simultaneously or in quick succession.

The response team should refer to the Office of the Australian Information Commissioner’s (OAIC) Data breach notification: a guide to handling personal information security breaches which provides detail on each step.

Whether or not there has been a data breach the Response Team will determine, what steps need to be taken to further investigate, remediate, and mitigate the incident and protect against future incidents.

If a breach of sensitive information, including but not limited to PHI, user, reporting or outcomes has occurred, SurgicalPerformance will give timely notices to affected individuals and government authorities, including the OAIC as appropriate and/or required. The notice will be given as soon as practicable.