To our valued Participants, families and carers,
We are writing to inform you of a recent cyber-attack experienced by our cloud-based client management system provider, CTARS Pty Ltd (CTARS). GPSO uses CTARS for storing the information of some of the people we support, relevant to the services we provide them.
CTARS has informed us that data containing personal information relating to our clients, carers, and their contacts was downloaded from its systems as a result of a cyber-attack. Unfortunately, some of your personal information was on that database and therefore may have been impacted by this incident.
CTARS has reported the incident to the Office of the Australian Information Commissioner (OAIC) and the Australian Cyber Security Centre, and they have also engaged external cyber-security and forensic specialists to contain the event, implement additional security measures and investigate the incident.
CTARS has also published a statement on its website https://ctars.com.au/ctars-data-breach with more information about what happened as well as advice and recommendations about the steps that people can take in response to the data breach
The personal information that we might hold about or participants include:
- Identifiable information such as your name, date of birth, age, gender, photographs and other client identification numbers (including card numbers) for GPSO, NDIS, Centrelink, companion, pension/concession, seniors, Medicare, proof of age;
Please note for approximately 80% of our Participants we don’t hold any card numbers.
- Contact details and emergency contact details, including physical and email addresses and contact numbers;
- Medical information including information regarding any diagnosis or disability, medications, physical attributes; or
- Cultural and religious information.
Please note that the list above is not exhaustive and we hold different information for different Participants. That being said, for the majority of Participants we hold only contact information, emergency contact details, date of birth and NDIS numbers. However, please do not hesitate to contact us if you require specific breakdown of what information we hold.
What GPSO is doing in response?
Consistent with our mission and values, we take the privacy and security of all personal information very seriously.
When we became aware of the CTARS incident, GPSO immediately contacted CTARS and has since maintained a high level of communication to ensure we best support the people affected by the data breach.
GPSO may release further updates as more facts become available.
Who to contact for more information?
If you are concerned about the potential misuse of your personal information, CTARS have arranged free support from IDCARE, Australia’s national identity and cybersecurity community support service.
Please engage an IDCARE Case Manager via IDCARE’s Get Help Web Form at https://www.idcare.org/contact/get-help or call 1800 595 160. IDCARE’s services may be accessed by providing referral code CTR22 when completing its Get Help Web Form.
Alternatively, you may visit IDCARE’s Learning Centre for further information and resources on protecting your personal information https://www.idcare.org/learning-centre.
GPSO is available to assist you in accessing the support offered through IDCARE.
GPSO is committed to working with CTARS and our Participants, carers and families on resolving the issue and sincerely apologise for the inconvenience and concern this incident may have caused. GPSO will endeavour to contact you immediately if we are made aware of any specific individual information released.
Please don’t hesitate to contact me at firstname.lastname@example.org if you wish to discuss this further or if GPSO can assist you in any way.