The QIMR Berghofer Medical Research Institute has disclosed a November data breach that affected more than 1000 individuals.
The breach was first reported by the ABC, which was contacted by people who had received a notice of the breach.
The breach affected people who had taken part in a skin cancer research survey, and included participants’ name, address, and Medicare numbers.
According to a statement published today by the institute, it was first advised of the breach by service provider Datatime in November 2022, when Datatime and another company operated by PNORS Technology Group suffered a breach.
The QIMR Bornhofer Institute said Datatime was contracted to conduct a mailout to nearly 10,000 individuals, and was only provided with names and addresses.
The 1128 individuals affected by the breach were those who completed and returned the forms to Datatime, and for those, name address and Medicare number may have been exposed in the breach.
“No other information … was involved or held by Datatime," the institute said.
“The company, Datatime, has provided very little information to the institute regarding the breach.
"Datatime was responsible for the security and coding of identifiable and health information.”
The institute said it contacted those affected when it was informed of the breach, as well as the Office of the Australian Information Commissioner.
It’s not the first time the QIMR Berghofer Medical Research Institute has been caught by a third-party data breach.
In February 2021, the institute was caught up in the Accellion data breach, with 620MB of its data accessed.
That breach, however, did not involve personally-identifiable information.