Family Planning NSW has told customers their personal information may have been compromised after the not-for-profit fell victim to a ransomware attack.
The organisation provides advice on contraception, pregnancy, and sexual health, and it is believed the databases breached contained information on around 8,000 clients who had contacted Family Planning NSW to make an appointment or leave feedback through its website.
It was confirmed to clients via email that the not-for-profit that provides vital assistance to the state suffered the breach on Anzac Day — April 25, 2018.
“Since the attack we have had no evidence that this information has been used by the cyber attackers,” the email, signed off by chair Sue Carrick and chief executive Ann Brassil, said.
“All web database information has been secure since this time and more sensitive medical records held internally were never under threat.”
Those potentially caught up in the breach would have accessed the organisation’s online services in the past two-and-a-half years.
The organisation said the situation has been “contained”, but its website will remain offline until a security review and internal testing are completed.
Clients were told Family Planning NSW was one of several agencies targeted by criminals who requested ransom via bitcoin on the day of the attack.
“We are conducting a thorough review of our information security to ensure all clients can continue to trust us for their reproductive and sexual health services,” the email continues.
“We understand that as a client who may have provided personal and/or health information through the appointment or feedback forms, you may be concerned by the potential breach. We’d like to reassure you again this form does not connect to our internal medical records.”
Family Planning NSW has five clinics throughout the state in Ashfield, Dubbo, Fairfield, Penrith, and the Hunter region, with more than 28,000 people visiting every year.
The Office of the Australian Information Commissioner (OAIC) reported last month it had received 63 notifications since Australia’s Notifiable Data Breaches (NDB) scheme came into effect on February 22, 2018.
The Quarterly Statistics Report: January 2018-March 2018 revealed that health service providers accounted for 15 breaches; legal, accounting, and management services suffered 10; finance, including superannuation, reported eight breaches; education suffered six; and charities four.
The NDB scheme requires agencies and organisations in Australia that are covered by the Privacy Act 1988 to notify individuals whose personal information is involved in a data breach that is likely to result in “serious harm” as soon as practicable after becoming aware of a breach.
According to the OAIC, 73 percent of eligible data breaches reported involved the personal information of less than 100 individuals, with just over half of the notifications involving the personal information of between one and nine individuals.
27 percent of notifications under the NDB scheme involved more than 100 individuals, the report highlighted.
The most common kind of breached information reported to the OAIC was contact information, which was the subject of 78 percent of the total breaches reported.
Health information was potentially compromised in 33 percent of the cases.
Intelligence agencies, not-for-profit organisations or small businesses with turnover of less than AU$3 million annually, credit reporting bodies, and political parties are exempt from the NDB.
Although 63 data breaches were reported to the Office of the Australian Information Commissioner in less than six weeks, FireEye’s Mandiant has warned the figure is higher, but organisations are unsure if their breach fits the brief.
The Office of the Australian Information Commissioner has received 63 data breach notifications in first six weeks of the scheme’s operation.
The Australian government department has confirmed the data compromise related to staff profiles from its previous credit card management system provided by Business Information Services.
The Australian government’s My Health Record data use guidelines require the data governance board to make case-by-case decisions on how the data can be used.
Data breaches can be chaotic and stressful episodes. Learn the most effective actions you can take to help plan for these turbulent events.