icare still waiting on leaked workers' comp data to be deleted

NSW public insurer icare is yet to receive assurances from two dozen firms mistakenly sent reports containing the personal details of 193,000 injured workers, that they have deleted the data.

Finance minister Damien Tudehope made the admission during parliament on Wednesday, a month after icare first discovered the privacy breach.

The breach – which occurred on May 10, but only came to light last week – saw 587 employers or brokers sent incorrect employer cost of claims reports for the month of April.

Data relating to the 193,000 workers was contained across the totality of reports sent to the 587 recipients. It included policy numbers and claim cost, but not contact details or financial information.

In a statement last week, icare said employers and brokers that received the wrong reports had been contacted and that it was “confirming with them that they have deleted the information”.

But on Wednesday Tudehope said that while “96 percent of the 587 brokers or large employers... have now confirmed that the information was deleted”, data remained in the wild.

“icare is following up on the remaining four percent to get that assurance,” he told parliament, adding that “no employer received a list of all 193,000 injured workers’ claims information”.

Tudehope said icare had taken steps to “inform all affected current claimants of the breach and the remedial action taken”.

Individuals with closed claims have not yet been notified, with the Information and Privacy Commissioner advising icare to “conduct a serious harm assessment” before doing so.