Data breach: Icare sends private details of 193,000 workers to wrong employers

Icare sends private details of 193,000 workers to wrong employers
Lucy Cormack
By Lucy Cormack
June 2, 2022 — 5.00am
Save
Share
Normal text sizeLarger text sizeVery large text size
Advertisement

The personal details of almost 200,000 injured workers were mistakenly shared with 587 employers and insurance brokers in a major privacy data breach by embattled state insurer icare last month.

A senior source with direct knowledge of the breach said the details of 193,000 employees were contained in spreadsheets that were mistakenly sent as attachments to the wrong employers.

Icare said it has contacted all recipients of the report and is conducting due diligence to confirm the data has been deleted.
Icare said it has contacted all recipients of the report and is conducting due diligence to confirm the data has been deleted.CREDIT:KATE GERAGHTY

Icare contacted affected workers last week to apologise and put the mistake down to “human error”.

In the letter, seen by the Herald, workers’ compensation group executive Mary Maini said she was “very sorry” about the breach on May 10. It also published a short statement on its website.

Icare “inadvertently sent out a report containing a limited amount of information relating to your workers’ compensation claim to another employer, who should not have received it,” she wrote.

RELATED ARTICLE
Icare chief executive Richard Harding fronted the hearing on Wednesday.
icare investigation
‘Disastrous:’ Insurance regulator gives sober review of icare at inquiry
The state insurer provides workers’ compensation insurance to 3.6 million public and private sector employees in NSW. It was recently forced to repay $38 million to 53,000 injured workers due to historic payment errors.

Icare reported the data breach to the State Insurance Regulatory Authority and the Information and Privacy Commission of NSW last week and asked employers to delete the information they received.

The cost of claims report included a summary of workers’ claims history, their name, date of birth and injury category, but no banking or contact details.

Advertisement

“Although this is a one-off we are concerned that on this occasion our communication processes failed, and we have commenced a comprehensive review of our systems and processes to ensure that this does not happen again ... I apologise,” she said.

Screenshots of one report, seen by the Herald, show that it also contained a workers’ policy number, a breakdown of weekly payments, claim costs and gross amounts paid.

An icare spokesman said the incident involved the cost of claims report for one employer being sent to a single different employer, which occurred for 587 employers and brokers.

“It was human error as a result of manual processing. It has nothing to do with any IT system. Icare has contacted all recipients of the report and is conducting due diligence to confirm the data has been deleted,” he said.

Risk management specialist Richard Gilley, who represents around 50 employers managing workers’ compensation, said the data breach was now “market gossip” among concerned employers and brokers.

“From the information I have seen, it appears it is quite easy to determine weekly payments to individual workers,” he said.

RELATED ARTICLE
Workers’ compensation claims are expected to rise when COVID-19 restrictions are reduced.
State Parliament
Government votes to protect bonuses for icare executives
“You can easily work out how much people have been paid by working out the total cost of payments divided by the weeks off work. To say there is no financial information shared appears to be a lie”.

Icare’s spokesman said the email and letters sent to affected workers “clearly states no personal financial information or contact details were included. This is not misleading”.

He said no personal bank details or other financial information that could potentially lead to fraud or theft was included and that independent expert IDCare was consulted for remediation and communications to impacted workers.

Opposition treasury spokesman Daniel Mookhey said the number of customers affected by the leak warranted an independent investigation.

“The 193,000 workers whose personal information icare distributed far and wide deserve answers about why this happened.”

EDITOR'S PICK
Burning Candle, 2020 by Darren Sylvester. Inset, Deloitte director Paul Quill.

White collar crime
Archibald heist: Deloitte staffer allegedly stole from Gutnick firm to fund art spree
The State Insurance Regulatory Authority is investigating if the incident constituted a breach of the workers’ compensation legislation, a spokeswoman said.

In a statement, the Privacy Commissioner said icare had confirmed arrangements to support affected workers who can also contact the Information and Privacy Commission for advice.