Personal health details and other sensitive information about recipients of the National Disability Insurance Scheme (NDIS) have been compromised after a cloud-based server of a private company was hacked.
The NDIS is a government-funded scheme which provides funding for support and services to about 500,000 Australians with significant and permanent disabilities.
CTARS is a cloud-based client management system for the NDIS and out-of-home care services. In a statement on its website, the Australian company says its systems were compromised on 15 May, with a sample of the stolen data posted on a deep web forum on 21 May.
"Although we cannot confirm the details of all the data in the time available, to be extra careful we are treating any information held in our database as being compromised," the company says on its webpage.
"This data includes documents containing personal information relating to our customers and their clients and carers."
Very large volume of sensitive information compromised
The company says that a "very large volume" of personal, health and other sensitive information may have been breached, which may include identity documents, Medicare details, tax file numbers, contact information, and personal health or other sensitive information.
"Health and other sensitive personal information by itself is generally not useful to a cyber-criminal. However, we acknowledge and understand that it may be upsetting to have your health or disability information accessed. We regret that this incident has taken place and sincerely apologise for any unease this may cause you," the company says.
In a statement to CHOICE, a CTARS spokesperson said that not all NDIS recipients were affected by the breach and only those organisations which are customers of CTARS and the clients of those organisations were impacted.
We acknowledge and understand that it may be upsetting to have your health or disability information accessed
CTARS, provider of cloud-based management system
"In the interests of the privacy of our customers' clients and staff, and to reduce the risk of attempts by scammers to target our customers, we are not releasing details of the number of people who may have been impacted," the spokesperson says.
"We have engaged external cyber-security and forensic specialists who have been working alongside our IT security team to help contain the event, investigate the breach and implement additional security measures to ensure that all users can safely access CTARS."
A spokesperson for the National Disability Insurance Agency (NDIA) noted that there had not been any breach of NDIA systems, and that "business decisions, including the use of software and data storage, are a matter for individual organisations" that are delivering services within the NDIS.
Stronger protections needed
Disability advocate El Gibbs says the company's response to the breach is concerning.
"Highly sensitive personal information about disabled people may have been exposed, and yet the company isn't going to let those very people know what exactly has been exposed," she says.
"There is no accessible information about where to get help, instead they are referring people to a complex online form from another agency. This is not good enough."
Kate Bower, consumer data advocate at CHOICE, says while the company appeared to be doing everything they were legally required to in regards to notifying those potentially affected, the laws requiring remedy need to be stronger.
"The problem is that there are no remedies available for people affected by data breaches and cybersecurity incidents. There is literally nothing that people can do to seek redress and we believe that needs to change," Bower says.
There is literally nothing that people can do to seek redress and we believe that needs to change
CHOICE consumer data advocate Kate Bower
Spokesperson from the digital rights advocacy nonprofit Electronic Frontiers Australia, Justin Warren, says the federal government needs to adopt stronger protections and obligations for companies and organisations holding sensitive data. He says the current review of the Privacy Act is the perfect opportunity to strengthen protections.
"When organisations fail to keep their end of the bargain for keeping your data safe, you should be able to seek compensation. At the moment there are no consequences for not doing a good job of protecting your data, they simply get to try again," he says.
In 2014, the Australian Law Reform Commission recommended a new legal liability for serious breaches of data privacy. Bower says it's time the new government looked at enacting such a protection.
"CHOICE encourages the new Attorney-General to urgently review this recommendation and the Privacy Act to protect Australians from serious breaches of privacy such as this," she says.
UPDATED 31 May 2022: We updated this article with a statement from the National Disability Insurance Agency.
Stock images: Getty, unless otherwise stated.
