NDIA takes six weeks to notify clients of data breach

4 minute read

It took a Senate estimates hearing to expose the full extent of the incident. Meanwhile SA Health has breach problems of its own.

It took six weeks to notify clients, but the National Disability Insurance Agency (NDIA) has finally admitted that 645 participants’ and prospective participants’ information was included in the 1.1 TB of hacked HWL Ebsworth data posted on the dark web in June.

On 25 July the NDIA revealed some personal data was released in the attack, but it took a federal Senate estimates hearing last Wednesday to show the full extent of the breach.

“Based on the data we reviewed from HWLE, we identified that 645 participants were impacted,” NDIA chief counsel Matt Swainson told senate estimates.

“It almost wholly related to participants or prospective participants. We also had access matters – who were involved in Administrative Appeals Tribunal (AAT) matters with the agency.

“HWLE were engaged by the agency in those matters.”

HWL Ebsworth notified the NDIA that NDIS participants’ data was included in the leak on 10 June and provided the agency with a copy of the published data on 13 June.

“We commenced notifying those participants about July 25 or 27,” said Mr Swainson.

Liberal senator Hollie Hughes said that she was “concerned” by the amount of time that it took to notify the affected participants.

“It is six or seven weeks. From 13 June when the data was known to 25 July is six weeks before participants were starting to be notified,” she said.

Mr Swainson said that after receiving the copy of the leaked data from HWL Ebsworth, a “fairly substantial manual process” was required to confirm which participants were affected and a considered approach was taken to how NDIA communicated the breach to different participants based on their accessibility needs.

“We took frontline staff offline to manually go through those documents to identify those participants who were impacted and whose data was impacted,” he said.

“Once we had that list, we worked through with case managers and agency staff members the most appropriate notification process for each of those affected participants. We tailored the communication to their accessibility needs.

“In terms of what the agency specifically did, we put in place a range of measures. We commenced active monitoring of emails inbound and outbound to put in place fraud detection measures,” he said.

“We added participants onto a fraud watch list to make sure there was no unusual activity that might have been going on with those participants.”

Since the breach NDIA has hardened its own security and also reviewed the security measures of other law firms that it engages, Mr Swainson added.

“We updated our privacy management plan in July this year,” he said.

“We also, throughout July, had individual meetings with all other law firms that were engaged by the agency and the AAT to ask them what additional cyber security measures they had put in place.

“They are external legal firms engaged by the agency but on the Australian whole-of-government panel. Firms are doing additional training. I think one firm engaged hackers to test their systems. There was a range of things that other firms were doing to give us that assurance.”

Meanwhile, ITNews reported that a mobile platform used by South Australian local health networks was breached a fortnight ago, resulting in a folder of “health information” of 121 patients being deleted.

The incident hit third-party provider Personify Care, which underpins the Digital Patient Pathways mobile app used by local health networks across SA Health “to exchange information with patients about their care”.

Queensland unveils mandatory data breach notification scheme

Medibank banks $500m profit despite data breach

SA Health said it was “an isolated data incident” that impacted the “health information (personal, medical and/or legal documents) of 121 patients … at Central Adelaide LHN and Southern Adelaide LHN.”

The department said there was “no evidence” the patient data was downloaded or copied, only that it was deleted.

It said the unauthorised access was recognised “within two hours of it occurring” and was resolved jointly by SA Health and Personify Care.

Personify Care is notifying all 121 individuals whose “health information” is affected.

SA Health went on to say the folder contained other data as well: “The affected folder also included the name and phone number for 12,624 patients used to invite them onto the Digital Patient Pathways system, but this did not include any health information.”

Personify Care had called in external assistance, while SA Health had also notified the Office of the Australian Information Commissioner (OAIC) of the breach.

Do you have a story tip for us, or a topic you would like to see us cover? Contact the editor at editor@healthservicesdaily.com.au.

End of content

No more pages to load

Log In Register ×