Datatime

Datatime is an Australian organisation that operated as a contractor responsible for processing sensitive medical survey data. Its core function involved managing information for major health research studies, specifically handling participant responses that contained highly personal health details. The company's work placed it at the intersection of healthcare research and data management, serving as a critical intermediary for institutions conducting large-scale medical studies. This role required it to safeguard a wide array of personal identifiers, including names, addresses, government health numbers like Medicare details, and the substantive survey responses themselves, which could encompass mental health status and medication histories. The nature of its services meant Datatime processed data integral to significant public health research initiatives, such as a major Australian skin cancer study, thereby supporting national health objectives through its data handling competencies. Its operational model was centred on the secure processing and temporary storage of this information prior to scheduled deletion, a standard practice for such research contractors.

The organisation's profile is notably defined by a significant security incident that occurred in November 2022. During this event, hackers infiltrated the servers holding the medical survey data, temporarily locking Datatime out of its own systems and exfiltrating data samples. This breach directly compromised the personal information of over 1,000 participants from the affiliated skin cancer study. The incident exposed critical vulnerabilities in the company's data protection measures and triggered a severe privacy incident. The research institute client subsequently notified affected individuals privately, though the situation drew public criticism toward both the institute and, by extension, its contractor for not making a public disclosure about the breach while continuing to recruit for other studies. This lack of public announcement highlighted a systemic gap in breach disclosure regulations, as no legal obligation existed for such a public announcement despite the clear risks to individuals. The participant distress reported underscored the profound real-world consequences of such data compromises when highly sensitive health information is exposed.