Almost 650 National Disability Insurance Scheme (NDIS) participants and prospective participants have still not been told which of their health records were leaked on the dark web in June last year.
HWL Ebsworth, which represented the National Disability Insurance Agency (NDIA) at the Administrative Appeals Tribunal (AAT), had documents covering several years of some impacted individuals’ medical and psychological histories at the time of the breach.
Bell*, who has an autoimmune disease, told iTnews that HWL Ebsworth obtained more than 900 pages of documents as part of an appeal against NDIA’s decision that she was ineligible for NDIS.
“They contacted my local hospital and summoned every specialist and allied health professional who I’d seen – everyone who’d touched on any of my health concerns,” Bell said.
Some of the information HWL Ebsworth obtained “doesn’t relate to the condition that’s being assessed,” Bell said, including health professionals’ reports containing details of a domestic violence situation she had been in.
A letter [pdf] HWL Ebsworth sent in December notified Bell that “health/medical information” was identified as “likely” to have been “accessed” without specifying which of her details or documents.
Ray*, who has “psychosocial, depression and anxiety due to burn out”, told iTnews that he was also appealing a review of an NDIA decision to deallocate funding he previously received under the scheme for support services.
Like Bell, HWL Ebsworth had obtained a wide range of Ray’s documents during the AAT proceedings, including, “all my psychology reports, all my OT [occupation therapists] reports, my whole history of mental health,” he said.
Both Bell and Ray have since been notified that their data is part of the HWL Ebsworth breach, but neither has been able to find out exactly what was stolen.
“[An NDIA employee] told me information, including medical records, got hacked, but she couldn’t tell me which of it,” Ray said.
“I still don’t know what the hackers have; I can’t access it on my own because the law firm went to the Supreme Court for an injunction, so I can’t even legally find out.”
In the dark
Bell and Ray are part of a cohort of 644 individuals that NDIA has notified as being impacted by the HWL Ebsworth data breach.
The 644 individuals NDIA has not notified are not all NDIS participants and prospective participants included in the leak; just those readily identifiable within the data without conducting a manual review.
NDIA has only recently completed a more extensive, manual review to identify additional individuals whose data was included and to confirm what information relating to each individual was included.
“The NDIA will continue to work to ensure those affected are appropriately supported,” a spokesperson for the agency told iTnews.
“This includes future contact to impacted individuals to notify them of what information has been affected, and any additional steps they can take to protect themselves.”
A spokesperson for HWL Ebsworth attributed the delayed and incomplete notifications to “the volume and unstructured nature of the data… that was accessed by the criminals.”
“Given the need to undertake the data analysis in a thorough and accurate manner, the analysis process took an extended period of time but has now come to an end,” the spokesperson said.
“HWL Ebsworth understands that impacted individuals want to have a full understanding of any sensitive information that was accessed by the cybercriminals.
“We can confirm that, for the vast majority of impacted organisations, notifications to affected individuals have been completed.”
But other observers have expressed concern at the lack of specifics being offered to victims.
Disability rights advocate and independent chair of Every Australian Counts Dr George Taleporos told iTnews that he was “concerned” by NDIA’s lack of communication.
“NDIS participants have the same right to privacy as anyone else,” he said.
“It is essential that our privacy is maintained, and I’m very concerned by this breach and by the lack of information provided to participants about what data was breached.”
Shadow Minister for Cyber Security James Paterson, who obtained a list from Home Affairs last week of all government agencies caught up in the hack [pdf], told iTnews that impacted individuals would benefit from more prompt communication.
“Prompt notification is essential so that potential victims can take steps to protect themselves from further victimisation from cybercriminals.
“I am concerned it has taken HWL Ebsworth and the federal government so long to identify which documents have been lost and to notify the victims,” he added.
A “fishing expedition” for health documents
There are still unanswered questions as to why such a vast amount of sensitive information needed to be collected by the law firm on NDIA’s behalf as part of appeal proceedings.
Ray said “there was too much asked,” during the AAT proceedings.
Bell concurred, adding that “contacting all these health practitioners about my entire medical history is irrelevant to the process.”
“It is a fishing expedition that creates a chilling effect on both the practitioners themselves and the applicants; it alienates us…. I suggested they were doing this to cherry-pick,” she said.
“I applied for the NDIS because I have autoimmune conditions, including ankylosing spondylitis (AS), which is my primary condition.
“AS is a degenerative condition. The fact that it is not stable was part of the many and changing arguments that [HBL Ebsworth] used to reject my application during the AAT process.
“One time I was in hospital after an emergency flare and had many hospital practitioners briefly visit my bedside taking notes.
“One form question was ‘can patient walk 100 steps’ and the staff marked ‘yes’, and they referenced that in their rejection arguments.”
HWL Ebsworth did not answer iTnews’ questions about why it collects so much information or if it has a data retention policy that would delete sensitive information when it elapses.
Senator Paterson said these were questions that should be answered.
“Given the ever-present risk of data breaches like these and the severe impact it can have on potential victims, the NDIS should request no more information than is absolutely necessary to assess the claim on its merits,” he said.
“This information should then only be retained as long as it is strictly necessary, consistent with the requirements imposed on private organisations under the Privacy Act.
“It is up to the NDIS to justify why this amount of information was necessary, and why it wasn’t better protected.
Dr Taleporos said, “I am also dismayed by the amount of personal information that participants were forced to provide. It is important that the agency makes sure this never happens again.”
HWL’s injunction stopped impacted individuals from checking themselves
HWL Ebsworth successfully applied to the NSW Supreme Court in June for an injunction preventing “any further broader access to or dissemination” of the leaked data.
“Our approach restricted the possibility of misuse of the exfiltrated data, while still ensuring that affected individuals are notified of their sensitive data that was impacted in this incident,” a HWL Ebsworth spokesperson told iTnews.
The data was only on the ransomware gang ALPHV/BlackCat’s blog for three weeks.
The HWL Ebsworth spokesperson said that the injunction had “proven to be extremely successful.
“In the absence of the injunction, anyone with access to the dark web would not have had any legal restriction to accessing the published portion of the exfiltrated data for the short period of time that it was accessible.”
Ray said that the injunction’s downside was that it also made it illegal for the impacted individuals to check for themselves which documents had been leaked.
Senator Paterson also said that it was “unfortunate” that the injunction restricted impacted individuals from reviewing the data themselves.
“It is highly unorthodox for an injunction like this to be sought. It is very unfortunate that it has led to victims being kept in the dark about their data being stolen.
“The federal government should explain whether or not it endorses HWL Ebsworth doing so, and why.”
*Not their real names.