The agency overseeing the National Disability Insurance Scheme (NDIS) has found “some” participants, prospective participants, their families and carers and staff are caught up in the HWL Ebsworth breach.
The National Disability Insurance Agency had been examining its potential exposure to the incident since last month.
In a new statement, the agency apologised to the people impacted by the breach “for any distress caused”.
“While the NDIA’s systems have not been compromised, HWL Ebsworth is an external law firm that provides legal services to private clients and government agencies, including the NDIA,” it said.
“We recognise this may be distressing for affected individuals.”
HWL Ebsworth was breached at the end of April by threat actors using ALPHV/BlackCat ransomware. Exfiltrated data was published the following month, and the law firm, together with forensic investigators, have been going through the leaked material since.
Some 40 government departments and agencies – federal and state – are reportedly impacted in some way.
On the government side, the issue is being coordinated through a new cyber security function in Home Affairs.
The NDIA said it is “working closely with HWL Ebsworth to ensure those affected are appropriately identified, notified and supported as we confirm what information has been affected”, adding it would make direct contact.
“Only participants and prospective participants who have engaged with HWL Ebsworth have the potential to be affected, as well as other associated individuals,” the agency said.
“The NDIA is taking additional precautions to protect potentially impacted individuals including actively monitoring plans and account transactions for any unusual or suspicious activity.”
The NDIA said that participants with concerns could call it on 1300 216 807.