Media statement

20 March 2023

A national data processing company widely used by government, universities and businesses notified QIMR Berghofer in November 2022 that a Study conducted by the Institute had been compromised in a cyber-security breach.

The company, Datatime, has provided very little information to the Institute regarding the breach.

The 2021 QSKIN study, affected by the Datatime breach, involved a mail-out to 9749 potential participants. The only information held by Datatime in relation to these individuals was their name and address.

A further 1128 participants completed the survey and returned their forms to Datatime. Their personal information, including name, address and Medicare numbers may have been compromised as part of the breach.

No other information, including genetic data or other, was involved or held by Datatime.

QIMR Berghofer’s arrangement to use an external data company included a rigorous process to ensure the reputation and credentials of the provider met the highest security standards. Datatime is ISO Accredited and compliant with the Privacy and Data Protection Act (2014). Datatime was responsible for the security and coding of identifiable and health information.

Once notified of the breach, QIMR Berghofer identified affected participants and contacted them directly by email in accordance with the recommendation of the Office of the Information Commissioner Queensland.

The participant notification included all information that was known and provided by Datatime including a description of the data breach, the kinds of information that may have been compromised, and the steps people could take to protect themselves.

“We are extremely sorry that participants of this study have been impacted by the third-party data breach. QIMR Berghofer takes these matters very seriously, which is why we only engage highly credentialed data processing entities such as Datatime. Security measures such as coding and separating responses to ensure confidentiality are typically used,” a spokesperson said.

Datatime advised QIMR Berghofer that it followed strict privacy protocols and notified the Office of Australian Information Commissioner to disclose the data breach. All relevant state and federal authorities, including the Australian Cyber Security Centre, Federal Police and Federal Government’s cyber experts were also advised.

As part of the Institute’s cyber security protocols, the supplier accreditation requirements are being strengthened.

All research studies conducted by QIMR Berghofer researchers that involve the collection or use of personal information, including health information, are reviewed by the Human Research Ethics Committee registered with the National Health and Medical Research Council (NHMRC).