Notification of privacy incident
It has been identified that there was a low-risk data privacy breach within Gateway Health that involved some personal information of a small number of clients.
Based on our investigation, we understand that personal information that has been affected by this incident includes:
- Personal information relating to a limited number of clients who accessed the Community Inclusion program under a National Disability Insurance Scheme (NDIS) package in the years 2018 – 2023.
- Personal information including:
-
-
- Names
- Residential and postal addresses
- Phone numbers
- NDIS membership numbers and participant information
- NDIS package details including service types and funds allocated
- Health and social information including diagnoses and disabilities.
What have we done in response to the breach?
We have notified the Office of the Australian Information Commissioner (OAIC) under the Notifiable Data Breach Scheme, as per the Privacy Act 1988 (Cth), and advised the NDIS of package recipients involved. We have also notified all clients who were able to be individually identified as having personal information involved.
We are reviewing policies and security practices concerning the ability of unauthorised external devices to be used on our computers, to reduce the potential for this to happen again.
Recommended steps that individuals can take
This breach has been thoroughly assessed and has been deemed LOW RISK. This is due to the above actions taken and the fact that at no stage has your information been made publicly available.
However, you should carefully review the information that was affected by this incident and think about whether this could result in you experiencing any harm. Some of the steps you may consider taking to protect yourself include:
- Be aware of emails and telephone calls from people requesting your personal details, (especially things like your date of birth, residential address, email address, username or passwords which are often used to verify your identity).
- Change your NDIS account password.
- Contact IDCare on 1300 432 273 or visit www.idcare.org who can provide you with additional guidance on the steps you can take to protect yourself from identity fraud.
- If you start to receive unwanted telemarketing calls, consider registering your number with the Australian Communications and Media Authority’s ‘Do Not Call register’ by visiting www.donotcall.gov.au/consumers/register-your-numbers. You can also contact your service provider and request to change your number.
- Alert your NDIS package provider so that they can implement additional monitoring and security protocols on your account.
- Closely monitor your NDIS financial statements for unauthorised transactions. If you identify a transaction you didn’t make, report it immediately to NDIS or your Support Coordinator.
Further information is also available on the Office of the Australian Information Commissioner’s website at https://www.oaic.gov.au/privacy/your-privacy-rights/data-breaches.
More information
If you have any concerns about what has happened or would like further information, you can contact: the Privacy Officer by email at inforequest@gatewayhealth.org.au.
If you are not satisfied with how we have handled this, you can contact us to make a complaint at inforequest@gatewayhealth.org.au.
If we cannot resolve your complaint, you can then make a complaint to OAIC. You can find out more about how to make a complaint to OAIC at https://www.oaic.gov.au/privacy/privacy-complaints.
Chief Executive Officer
Gateway Health
