This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

QIMR Berghofer Medical Research Institute

Summary

QIMR Berghofer Medical Research Institute disclosed on 20 March 2023 that personal information of 1,128 participants in its 2021 QSKIN skin cancer study was exposed in a data breach. The breach occurred when cyber criminals broke into servers operated by Datatime, a data processing company engaged by QIMR Berghofer. The compromised data included names, addresses, and Medicare numbers, but did not include genetic data or other research information. The breach was first reported to QIMR Berghofer by Datatime in November 2022.

What Happened

Cyber criminals broke into servers holding personal data collected by QIMR Berghofer for its skin cancer research study. The data was held by Datatime, a third-party data processing company that QIMR Berghofer had engaged to handle participant information.

The 2021 QSKIN study focused on understanding how genes influence a person's risk of disease and involved a mail-out to 9,749 potential participants. Of those contacted, 1,128 people who had their personal details stored by Datatime were affected by the breach.

Datatime reported the breach to QIMR Berghofer in November 2022, but the institute did not publicly disclose the incident until issuing a statement on 20 March 2023—approximately four months after being notified of the breach.

Impact on Individuals

The breach affected 1,128 participants in the 2021 QSKIN study. The compromised personal information included:

  • Names
  • Addresses
  • Medicare numbers

Importantly, no other information was involved in the breach. Genetic data collected as part of the research study was not held by Datatime and therefore was not compromised.

The exposure of Medicare numbers is concerning as these are permanent government-issued identifiers that can be used for identity theft or fraudulent claims for healthcare services. Combined with names and addresses, this information provides a foundation for identity fraud.

Organisational Response

Once notified of the breach by Datatime in November 2022, QIMR Berghofer identified affected participants and contacted them directly by email in accordance with the recommendation of the Office of the Information Commissioner Queensland.

The institute apologised for the incident and emphasised that they "only engage highly credentialed data processing entities." The statement suggested some surprise that a breach could occur with a trusted vendor.

The incident raised questions about the responsibility chain when third-party processors are breached. QIMR Berghofer's four-month delay in public disclosure, despite contacting affected individuals, drew attention to the timing and transparency of breach notifications.

The breach highlighted the particular risks faced by medical research institutions, which collect sensitive personal information for legitimate research purposes but must then ensure that data is adequately protected by any third-party processors they engage. Participants in medical research studies trust institutions to protect their privacy, and breaches can undermine public willingness to participate in important health research.

Verification Source: View original statement