A National Disability Insurance Agency (NDIA) employee has been arrested and charged following an investigation into an insider leak of recipients’ data.
A second person, who allegedly received the information and was “acting” as an NDIS provider, has also been charged.
The National Disability Insurance Agency (NDIA) has not revealed the number of impacted participants.
In a statement, the agency said that “some” of the information included participants’ “full name, date of birth, gender address, including postcode,” but added that “in a small number of cases, [it] is aware of further details being disclosed.”
“There is also no evidence at this time to suggest that personal information has been distributed beyond the network [that is the] subject of these investigations.”
The agency also did not disclose when it first detected the unauthorised disclosure of participants’ of the National Disability Insurance Scheme (NDIS).
A seperate NDIA statement said that “an ongoing investigation into a disability service provider” led to information suspected to have “originated from internal NDIA systems”.
That led to a raid on a Sydney residence of the NDIS staff and charges being laid “related to the alleged unauthorised disclosure of protected agency information”.
An addition warrant was executed on a separate premises in Sydney, “with two individuals, who had been acting as NDIS providers, questioned and one later charged.”
“The pair have been barred from delivering supports to NDIS participants, with the NDIS Quality and Safeguards Commission issuing banning orders against the individuals and two associated provider companies,” the NDIA said.
The agency said it “believes this incident is financially motivated” and that all impacted individuals would be directly contacted by the NDIA.
“In instances where it was identified a participant may be at greater risk due to the level of personal information disclosed, the NDIA has contacted the participant (or their support network) to ensure their welfare and that they continue to receive their disability-related supports.
“As these matters are ongoing, the NDIA is unable to provide further comment at this time.”
NDIA was also caught up in the HWL Ebsworth breach this year, which exposed information recorded in dozens of federal agencies’ systems earlier this year.
In October NDIA revealed that 645 participants’ and prospective participants’ information was included in the 1.1 TB of data hacked from the law firm and posted on the dark web in June; the agency took six weeks to notify all of them.