CTARS, the creators of a cloud-based client management system (CMS) employed by the Australian National Disability Insurance Scheme (NDIS), as well as disability services, out-of-home care, and children’s services, has claimed it was hacked on May 15, and the data was discovered on the dark web after a week.
“Although we cannot confirm the details of all the data in the time available, to be extra careful we are treating any information held in our database as being compromised,” said the company. “This data includes documents containing personal information relating to our customers and their clients and carers.”
According to the company, clients, staff carers, and third-party providers’ personal information is held by CTARS. “Due to the very large volume of information held by CTARS and the very lengthy time it would take to review in detail, we are unable to confirm exactly what personal information of yours was affected by the incident,” it added.
Troy Hunt, the proprietor of Have I Been Pwned, was more forthright with the type of information kept, adding the 12,000 affected email addresses to the site. Hunt sent out a tweet stating that this contains details such as attempted suicides, problems with mental health, drug usage (both prescribed and illegal), violent conduct, and sexual assault. It was posted on a hacking forum and has been viewed by an unknown number of individuals. It’s a nightmare.
According to Hunt, a large percentage of those affected are care workers rather than NDIS clients. He said that it’s unclear how patient data might be traced back to specific persons, but at first glance, it appears extremely likely that sensitive personal information can be linked to certain people. Given the sensitivity of the breach, he’d want to hear more from CTARS / NDIS on the subject.
Hunt’s proposal was dismissed by CTARS. However, it did declare that “diagnoses, treatment, or recovery of a medical condition or disability” is the type of information retained. The company said that health and other sensitive personal information is often useless to cybercriminals.
“However, we acknowledge and understand that it may be upsetting to have your health or disability information accessed. We regret that this incident has taken place and sincerely apologise for any unease this may cause you.
“If you are experiencing any distress, we recommend that you seek health advice from a registered health professional you know and trust.”