A security breach of a cloud-based client management system used by National Disability Insurance Scheme (NDIS) service providers has exposed a “large volume” of health and other sensitive data.
CTARS, a Sydney-based software and analytics provider for the disability and care sectors, this week revealed an unauthorised third-party had gained access to its systems on May 15.
Less than a week later, on May 21, the company became aware that “a sample of that data had been posted on a [dark] web form” after the third-party claimed it had “taken a large volume of data”.
“Although we cannot confirm the details of all the data in the time available, to be extra careful we are treating any information held in our database as being compromised,” CTARS said in a notice on its website.
“This data includes documents containing personal information relating to our customers and their clients and carers.”
NDIS participants who rely on a disability care provider that uses CTARS for record keeping have been warned that “personal, health and other sensitive information” was stored in its systems.
The information page on the data breach suggests that sensitive heath data “could include details of the diagnoses, treatment, or recovery of a medical condition or disability”.
Other data though to be compromised includes Medicare and pensioner cards, as well as tax file numbers.
CTARS said that while the “very large volume” of data in its systems made it difficult to confirm the extent of the compromise, affected individuals would be contacted by their NDIS provider.
“If you have not been informed that your NDIS or OOHC [out of home care] provider uses CTARS and is part of the data breach then you have no reason to be concerned,” it said.
A spokesperson for the National Disability Insurance Agency (NDIA) told iTnews that it had been in contact with CTARS since being made aware of the breach.
CTARS has also reported the incident to the Office of the Australian Information Commissioner and the Australian Cyber Security Centre.
“CTARS provides a cloud-based client management system for the disability and care sectors, which the agency understandings some NDIS providers do use as part of their operations,” the NDIS spokesperson said.
“Business decisions, including the use of software and data storage, are a matter for individual organisations.”
NSW-based disability support services provider Caringa is the only NDIS service provider shown to be a customer on the CTARS website, along with aged care providers Catholic Care Diocese of Broken Bay, and Stepping Stone House.
The NDIA spokesperson also sought to stress that the incident was “not a breach of NDIA systems”.
“NDIS participants can be assured that the NDIA takes the protection of participant data and information security extremely seriously,” the spokesperson added.
CTARS has engaged identity and cyber support service IDCare to support NDIS participants and providers, and OOHC participants and carers, navigate the data breach.
The company has also sought the assistance of external cyber security and forensic specialists to “help contain the event, implement additional security measures and investigate the breach”.
“We take the privacy and protection of your personal information extremely seriously and sincerely regret any impact this incident may have on you,” CTARS added.
Update: Data breach repository Have I Been Pwned, which is run by security expert Troy Hunt, on Wednesday said the number of compromised email addresses was approximately 12,000.
Taking to Twitter, Hunt said a "significant portion of the email addresses belong to staff at care providers rather than individual patients", around 15 percent of which are "pre-existing accounts" in Have I Been Pwned.
He also said that while it is not clear "how traceable patient data is back to individuals", it is "highly likely" that sensitive personal information can be matched to individuals" and for this reason CTARS and the NDIS should be providing more commentary.