22 March 2023

Who’s responsible for QSKIN data breach?

digital health Research

The wolf is at the door of Australia’s health data but there are solutions to the problem.


The largest skin cancer study in Australia, QSKIN, was hacked this week but don’t expect anyone to be held personally accountable.  

Australia has tended to respond to data breaches with a spin of abject apologies, investigations into corporate culture and pointing the finger at hackers; the omnipotent, big bad wolf of the cyber world. Individuals are rarely, if ever, held responsible despite human error being a significant cause of data breaches.  

QIMR Berghofer medical research institute said they were “extremely sorry” about the breach. They were also quick to point out that the hacked servers were operated by an external company to process QSKIN study surveys.  

The surveys have spanned over 10 years, engaged around 50,000 Australians and asked participants about matters including menstruation, depression and divorce. 

As the list of Australia’s data breaches gets longer, and as health data is increasingly targeted, there may be merit in looking for new ways to ensure data protection.  

Denmark has advanced digital health with every resident’s health records easily accessible and sharable across all levels of care. Despite the ease of access to personal health records, Denmark has very few issues with data breaches. 

In Denmark, government employees, staff of private companies and academic researchers are each personally liable for breaches of customer data. 

Professor Jens Søndergaard leads the General Practice Research Unit at the University of Southern Denmark and is also a GP. He said that in Denmark, government employees, staff of private companies and academic researchers are each personally liable for breaches of customer data.  

“We have a really good controlling system. In research, for example, we used anonymised files and if there are any data breaches at the university we will actually be punished. We will not have access to using those data systems for a long time and we may be fined,” he said. 

The Danish Data Protection Act and the General Data Protection Regulation outline penalties such as fines and imprisonment for infringements such as improper data control and processing.  

It’s a big stick to hold over the heads of bureaucrats, corporate executives and those with access to high-level, customer data. Yet, Professor Søndergaard says it works successfully within a specific societal mindset. 

“I think it’s also about culture in Denmark. We are a small country and the degree of trust is very, very high in Denmark in comparison with many other countries. We trust in our government, we trust in each other,” he said. 

There are major cultural differences between the land of LEGO and ours of droughts and flooding rains. Here, we try to sue a local government when we fall off a cliff in the middle of the night, or go over the guard rails of a poorly maintained bridge

While the wolf is stalking the door of Australia’s patient data, perhaps some self-reflection on how we culturally respond to data breaches is warranted.