Data leaks and PWD

First Published: Wed Oct 19 2022
Last Updated: Wed Oct 19 2022

Soooo, this has not been a good year for data leaks/hijackings/ransoming/etc in Australia.

Of course the biggest by far this year was the Optus hack, with a purported 9.8 million customers and former customers possibly affected. The details nabbed by the hacker/s include names, addresses, date of birth etc. In fact for some Optus customers those details also included their Medicare, Drivers License and Passport numbers, forcing them to get new cards, licenses and passports issued.

Leaving Optus aside, there has been a rash of data breaches, both intentional and accidental. From iCare (the NSW Government Insurer) accidentally mailing out the details of 193,000 claimants to the wrong companies/insurance brokers to the deliberate hack of CTARS (a cloud based client management system for health related businesses) and the announcement that it considers all of its data potentially compromised (including the personal and medical details of the clients being managed by CTARS customers).

Oh and of course there's todays announcement that someone is demanding that Medibank Private pay up, or they'll start releasing the medical details of influential people gained through a recent hack.

“We offer to start negotiations in another case we will start realizing our ideas like 1. Selling your Database to third parties 2. But before this we will take 1k most media persons from your database (criteria is: most followers, politicians, actors, bloggers, LGBT activists, drug addictive people, etc) Also we’ve found people with very interesting diagnoses. And we’ll email them their information.”

The last one is interesting and concerning (well they're all concerning) for PWD. The actual threat is is to weaponise the information they claim to have stolen (the SMH hasn't been able to verify at this point whether they have the data). This means taking the most personal information about a person and releasing it in a manner that person has no control over.

For a group of people who traditionally have NOT had great experiences with privacy in the past the thought of someone just dumping their entire medical history on the net for anyone to see is extra confronting.

The CTARS incident also highlights something for me. The NDIS has spawned a mini eco-system of third party providers all aiming to help make things easier for either the participants themselves or those who look after them (CTARS being a good example as many of their clients are NDIS providers). These providers have access to so much information about the participants, from medical conditions, through to enough information on the participants NDIS plans that IF someone got hold of it, they could do some serious damage.

I had a look around the intarwebs this evening to see if I could find anything about standards for data storage and security that the NDIS might impose on providers but I couldn't find anything immediately. I will keep looking, but the closest I've found is this - - which seems to be aimed more at the management level and definitely doesn't seem to hold a  “You must do this” EXCEPT when referring to the various bits of privacy legislation.

I've hammered this out late so might have to tidy up, but will definitely be following this up, because I KNOW there are a lot of PWD who are really worried right now.