CTARS, the makers of a cloud-based client management system used by the Australian National Disability Insurance Scheme (NDIS) as well as disability services, out of home care, and children's services, has revealed it was breached on May 15 and found the data posted to the dark web a week later.
"Although we cannot confirm the details of all the data in the time available, to be extra careful we are treating any information held in our database as being compromised," the company has said.
"This data includes documents containing personal information relating to our customers and their clients and carers."
CTARS said it holds personal information of clients, staff carers, and third party suppliers.
"Due to the very large volume of information held by CTARS and the very lengthy time it would take to review in detail, we are unable to confirm exactly what personal information of yours was affected by the incident," it added.
More forthcoming with the sort of information stored was Have I Been Pwned owner Troy Hunt, who has added the 12,000 impacted email address into the site.
"This includes information such as suicide attempts. Mental health issues. Drug use (both prescription and illicit). Violent behaviour. Sexual abuse," Hunt tweeted.
"This has been published to a hacking forum and accessed by an untold number of people. It's horrendous."
Hunt added a significant number of the impacted people are care staff rather than NDIS clients.
"It's not clear how traceable patient data is back to individuals but at face value, it seems highly likely sensitive personal information can be matched to individuals. Given the sensitivity of the breach, I'd prefer to see CTARS / NDIS provide more commentary on that," he said.
CTARS dismissed the type of proposition put forward by Hunt, although it did state that "diagnoses, treatment, or recovery of a medical condition or disability" is the sort of information stored.
"Health and other sensitive personal information by itself is generally not useful to a cyber-criminal," the company claimed.
"However, we acknowledge and understand that it may be upsetting to have your health or disability information accessed. We regret that this incident has taken place and sincerely apologise for any unease this may cause you.
"If you are experiencing any distress, we recommend that you seek health advice from a registered health professional you know and trust."
IF YOU OR ANYONE YOU KNOW IN AUSTRALIA NEEDS HELP CONTACT ONE OF THESE SERVICES: