๐Ÿ”’breach.co.nz ยท the NZ & Australia breach register ๐Ÿ›ก๏ธ A Govern service
Register โ€บ ๐Ÿ‡ฆ๐Ÿ‡บ AU โ€บ Healthcare
Advertising
Your brand, in front of the right people
Run-of-site leaderboard โ€” every ad-supported page across the register.
Enquire โ†’ breach@govern.co.nz

CTARS (NDIS client-management provider)

๐Ÿ‡ฆ๐Ÿ‡บ Australia ยท CTARS Pty Ltd ยท Record AU-2022-0260
โ—‹ Reported โ€” awaiting official confirmation
Reported โ€” awaiting official confirmation. The facts below are drawn from the organisation's own disclosure and credible reporting. Figures are as reported; unknowns are labelled, not estimated by us.
People affected
Not disclosed
Breach date
2022-05
Regulator
OAIC and ACSC (notified)
Trust tier
B ยท Reported

Data exposed

Names, dates of birth, addresses, phone numbers, emails, usernames/passwords and genders Media-reported
Sensitive health and disability data โ€” conditions, treatments and care needs; and, per reporting, Medicare/pensioner card numbers and tax file numbers Media-reported

Confidence: Confirmed = regulator/court ยท Company-confirmed = the organisation's own disclosure ยท Media-reported = press. Figures without an official source are labelled, not estimated.

What happened

In May 2022 CTARS, a cloud client-management software provider used across the disability and NDIS sector, was breached and a sample of data was posted to a dark-web forum [ctars-infoage], [ctars-itnews]. Because CTARS could not confirm the exact scope, it treated all information in the affected database as potentially compromised [ctars-itnews]. Reporting described the exposed data as including names, dates of birth, addresses, phone numbers, emails, usernames and passwords, and genders, together with sensitive health and disability information โ€” conditions, treatments and care needs โ€” and, per media accounts, Medicare/pensioner card numbers and tax file numbers [ctars-infoage], [ctars-itnews].

Timeline

  • 2022-05 โ€” Unauthorised access occurred around mid-May; a data sample was posted online days later [ctars-itnews].
  • 2022-05 โ€” Publicly disclosed at the end of May; CTARS notified the OAIC and the ACSC and engaged IDCARE to support affected people [ctars-infoage].

Current status

Disclosed. CTARS notified the Office of the Australian Information Commissioner and the Australian Cyber Security Centre [ctars-infoage]. Have I Been Pwned indexed roughly 12,000 unique email addresses from the incident, but that count mixes provider staff with NDIS participants and is not an official measure of participants affected โ€” so no figure is asserted here [ctars-hibp].

Why it matters

Disability-care records are among the most sensitive personal data held anywhere, and a breach of the software that many providers rely on can expose participants across dozens of unrelated organisations at once.

GGOVERN Tabletop Exercises ยท Govern house When ransomware hits the ward, will your team know the call? Book a Discovery Call โ†’