SIRA censures icare over injured workers' privacy breach

Report proposes 'self-funding' insurance model for export industries

The NSW State Insurance Regulatory Authority (SIRA) has issued a letter of censure to icare after it disclosed the personal and health information of injured workers through an email attachment sent to the wrong recipients.

SIRA says the censure is appropriate given the breach, lack of appropriate safeguards in place, and with some aspects of the response regarded as unsatisfactory.

The censure, for contravening the Workplace Injury Management and Workers’ Compensation Act, will form part of the Nominal Insurer’s compliance history.

“In this instance a letter of censure is considered appropriate, however, in the event the authority becomes aware of further non-compliance of a similar nature, it may result in an alternative sanction such as the imposition of a civil penalty or prosecution,” SIRA says.

The privacy breach was caused by the incorrect transcription of employer email addresses and policy numbers in a spreadsheet before the cost of claims reports were sent out via a distribution list. As a result, some employers received personal or health information about injured workers whose claims they had no involvement with.

About 1450 claim reports referring to some 192,000 injured workers were sent to about 570 incorrect recipients on May 6. One of the recipients alerted icare on May 10 and the insurer advised SIRA verbally on May 13 and further reported the matter on May 20.

SIRA says the compilation of the distribution list for the claims report was reliant on a manual process, and therefore more at risk of human error, it was sent to employers by email attachment, with greater risk of inadvertent disclosure than other means, and no encryption, password or other security mechanism was applied.

See also  What are casualty lines of insurance?

The regulator recognised in the letter that icare has taken action to remediate the incident and address contributing processes. That has included contacting recipients seeking confirmation the claims report has been deleted or is inaccessible, providing written notification to affected workers and improving controls.

But SIRA says some aspects of the response were unsatisfactory, including notifications to affected workers that stated no “personal financial information” was included in the claims report.

“While no banking information was included, the report did contain information regarding compensation payment amounts which is arguably financial in nature. The authority considers that the notification should have been clearer on this issue,” it says.

The letter says icare originally determined not to notify workers with open psychological claims of the privacy incident due to the potential impact on them, “but the authority understands icare did send notifications to these workers in error”.

icare today said it had worked closely with the Information and Privacy Commissioner of NSW and SIRA, and could confirm remediation of the matter was completed last month.

“This was an isolated incident due to human error and not any failing of icare’s IT systems. As a result, stronger process controls are now in place to further safeguard the information we hold,” it said.

“We will continue to review our systems and safety measures to ensure they remain robust in future.”