Class action looms over NDIS third party data breach


Denham Sadler
Senior Reporter

A class action lawsuit will potentially be launched following the breach of an NDIS third party client management system which saw a “large volume” of highly sensitive health data compromised.

Centennial Lawyers, the firm which led the first privacy class action in Australia, has confirmed it is investigating the recent breach and has called for individuals impacted by it to get in contact.

It was revealed last week that an unauthorised party had gained access to third party NDIS client management system CTARS and uploaded a sample of this data to the dark web in May.

CTARS said it was unable to determine what data was compromised but it was likely to include sensitive health data.

Cybersecurity expert Troy Hunt has analysed the data and said it is “extraordinarily bad” and includes information on suicide attempts, mental health issues, drug use and sexual abuse.

NDIS clients have been told they will have been contacted by their service provider if they have been impacted by the breach, and the NDIA has referred individuals to CTARS and IDCARE.

Centennial Lawyers has now put out a callout to those impacted by the data breach for a potential class action lawsuit. The firm has asked individuals to provide information on when they were contacted by their NDIS service provider and the type of the personal information involved.

The law firm led the first privacy class action lawsuit recently, on behalf of all NSW Ambulance employees and contractors whose sensitive health and personal information was subject to a mass data breach in 2013 after a contractor gained access to the records and database and sold this to another party.

This lawsuit was launched in 2017 and eventually settled in late 2019 for $275,000.

Centennial Lawyers is also investigating a potential class action over the Service NSW data breach last year, which impacted around 100,000 people and potentially exposed their sensitive personal and health information to hackers.

A class action lawsuit may be the only recourse available for those impacted by the data breach, with Australia still not having a tort for serious breach of privacy, despite this being recommended by the Australian Law Reform Commission nearly 10 years ago.

The introduction of such a tort is being considered as part of a wide-ranging review of the Privacy Act.

Mr Hunt said the data involved with the CTARS breach is as sensitive as it gets.

“Particularly when we’re talking about vulnerable people, this is extremely volatile information and it’s horrendous to see it abused in this way,” Mr Hunt said.

“It’s just a terrible class of information to be disclosed this way. At the very least you’ve got peoples’ names and behaviours and medications, and certainly people could recognise themselves there and almost certainly other people could recognise them.”

Do you know more? Contact James Riley via Email.

Leave a Comment

Related stories