Victoria’s Information Commissioner has released the findings of an investigation into a long-running data breach at a Government department. The investigation centred on the un-authorised access of personal data by a former employee of a contracted service provider (CSP) at Victoria’s Department of Health and Human Services (DHHS).
The un-named male employee accessed data via the Client Relationship Information System for Service Providers (CRISSP) on 260 occasions after he left the employ of the relevant CSP.
CRISSP is the DHHS client management and case management system. In addition to information such as name, address, and date of birth, CRISSP may contain sensitive information such as placement address, alerts, and notifications of sexual abuse.
In September 2017, the employee ceased working on a rapid response youth focused DHHS program that facilitated CRISSP access. Shortly after, the employee resigned from the CSP and went to work at another service provider.
However, both the DHHS and the CSP failed to terminate the employee’s access to CRISSP.
After taking up his role at a new service provider, the former employee continued to access CRISSP. Victoria’s Information Commissioner, Sven Bluemmel, found the man did so 260 times between September 2017 and October 2018.
The man’s unauthorised CRISSP access came to light when noticed by other employees in October 2018. CRISSP access was then terminated and the data breach referred to authorities.
The Information Commissioner’s investigation found two causes of the data breach. There was a failure to appropriately offboard the employee and terminate his CRISSP access. Mr Bluemmel attributed this to human error. But the Commissioner also criticised the absence of in-built back-up procedures to raise an alert when failures like this occurred.
Following the investigation, the Office of the Victorian Information Commissioner made a series of recommendations to both the DHHS and the CSP. Both organisations have accepted the recommendations. The DHHS and the CSP have agreed to a range of changes to reduce the risk of similar data breaches reoccurring in the future.
