Personal health details including Medicare and tax file numbers of National Disability Insurance Scheme (NDIS) recipients have been compromised after CTARS, a Sydney-based software provider for the disability and care sectors, had been hacked.
CTARS revealed this week that its systems were breached on 15 May, "with a sample of the stolen data posted on a deep web forum on 21 May". The cloud-based client management system for the NDIS and out-of-home care services posted a statement on its website outlining that the compromised data included "documents containing personal information relating to its customers, their clients and carers".
"Although we cannot confirm the details of all the data in the time available, to be extra careful we are treating any information held in our database as being compromised," CTARS said.
The company further revealed that a "very large volume" of personal, health and other sensitive information may have been breached that include identity documents, Medicare details, tax file numbers, contact information, personal health and/or other sensitive information.
"Health and other sensitive personal information by itself is generally not useful to a cyber criminal," CTARS said in the statement.
"However, we acknowledge and understand that it may be upsetting to have your health or disability information accessed.
"We regret that this incident has taken place and sincerely apologise for any unease this may cause you."
Over 500,000 Australians with significant and permanent disabilities rely on the government-funded NDIS scheme that provides funding for support and services.
In a CHOICE report, disability advocate El Gibbs commented that "the company's response to the breach is concerning".
"Highly sensitive personal information about disabled people may have been exposed, and yet the company isn't going to let those very people know what exactly has been exposed," Gibbs said.
"There is no accessible information about where to get help, instead they are referring people to a complex online form from another agency.
"This is not good enough."
Business decisions, including the use of software and data storage, according to a spokesperson for the NDIA, are a "matter for individual organisations" that deliver the services within the NDIS; emphasising that the CTARS breach did not proliferate to impact on NDIS systems.