Sensitive NDIS health data breached in client platform hack

Denham Sadler
National Affairs Editor

A “large volume” of highly sensitive health data has been compromised as part of a hack of a cloud-based client management system for NDIS service providers, with a sample posted on a “deep web forum” last week.

CTARS – a cloud-based client management system provider for NDIS, disability services, out of home care and children’s services – revealed this week that an unauthorised third-party had gained access to its systems on 15 May.

The third-party posted a sample of the stolen data around a week later on a “deep web forum”, the company said.

In the statement, CTARS said it is unable to determine what data has been compromised, but it likely includes sensitive health data such as the details of diagnoses, treatments and conditions and disabilities.

“Although we cannot confirm the details of all the data in the time available, to be extra careful we are treating any information held in our database as being compromised. This data includes documents containing personal information relating to our customers and their clients and carers,” the CTARS statement said.

There is now an “extreme level of risk” in terms of identity theft and fraudulent claims by providers and imposters using the leaked data, Centre for Digital Business chief executive and former NDIS head of technology authority Marie Johnson said.

“Data breaches create serious risk of harm – for people who are already suffering from these defective systems,” Ms Johnson told

“This is like having the My Health Record on the dark web. The individual has very little power – and people’s identity would be compromised. There is no way that this can’t be the case. And people won’t know that it has happened. These are the most vulnerable at-risk people.”

In the statement, CTARS said that individuals who have not been contacted by their NDIS service provider about the breach should not be concerned about it.

“That is not reassuring and understates the seriousness of what has happened. This data belongs to the most vulnerable people in Australia,” Ms Johnson said.

“The primary concern must be for the safety of participants and the continuation of supports. And there is a real risk that safety and supports will be affected. What is to guarantee that payments will not be affected – and therefore the continuation of supports.”

CTARS confirmed it has reported the data breach to the Office of the Australian Information Commissioner and the Australian Cyber Security Centre, and has engaged IDCARE for assistance.

But there is little recourse for individuals impacted by the data breach, with CTARS recommending they contact IDCARE for individual case management and assistance.

Despite a recommendation nearly 10 years ago by the Australian Law Reform Commission for the introduction of a tort for serious breach of privacy, there has been no progress on this since, leaving victims of this latest breach with little legal recourse.

This now needs to change, Electronic Frontiers Australia chair Justin Warren said.

“Then we could at least seek compensation and redress for privacy harms while we wait for these organisations to get better at information security,” Mr Warren told

“Australians have been demanding more robust privacy protections for years, and it’s past time to act. The new government has a chance to endear itself to all Australians by finally making privacy a priority.”

The introduction of such a tort has been a key issue of the ongoing review of the Privacy Act.

The data breach will have real consequences for individuals, Mr Warren said.

“People understand they need to give up some privacy to seek medical assistance. They entrust this very private information to others so that they can be helped, and yet they’re now constantly at risk of harm from organisations that can’t keep our information secure,” he said.

“This case highlights, once again, how those we entrust with our private information often fail to live up to their end of the bargain. When that happens, there is very little we can do to seek redress for the harm we suffer.”

Do you know more? Contact James Riley via Email.

  1. Daniel 2 years ago

    IMO government data should not be allowed on commercial grade public cloud. We have secure cloud for a reason.

    I know the argument is that the company should have done more, but there is constant stream of government data breaches on the globals. When was the last time you heard of a data breach on one of the secure clouds?

  2. Peter 2 years ago

    Why oh why was not the data deemed sensitive, encrypted in the database.
    Yes AWS is encrypted at all levels, but this is a failure here with protecting data deemed sensitive while at rest

  3. John P 2 years ago

    No mention of AWS?

Leave a Comment

Related stories