A Sydney law firm is considering a class action against NDIS client management system provider CTARS over a security breach that exposed sensitive health data belonging to NDIS participants.
Centennial Lawyers, which is known for Australia’s first privacy class action in 2017, is conducting “preliminary investigations” into the CTARS data breach, with a view to initiating a class action.
CTARS last week revealed a “large volume” of personal, health and other sensitive data belonging to NDIS participants and other individuals was accessed by an unauthorised third-party in May.
A sample of the data, which could include details of diagnoses, treatment or recovery of a medical condition or disability, has already been posted on the dark web, according to the company.
Medicare and pensioner cards, as well as tax file numbers, are also thought to have been compromised.
Data breach repository Have I Been Pwned, which is run by security expert Troy Hunt, has estimated the number of compromised email address at approximately 12,000, a “significant portion” of which belong to staff at care providers.
Hunt has suggested that it is "highly likely sensitive personal information can be matched to individuals".
Centennial Lawyers is calling for those who have been contacted by their NDIS service provider to provide relevant details about the breach.
The law firm is particularly keen to understand when individuals were notified about the breach and the type of data that was compromised.
Centennial Lawyers has a track record of legal action over data breaches, having successfully brought a class action against the NSW Ambulance Service over a data breach in 2017.
The class actions resulted in a $275,000 settlement over the access and sale of the personal data of 130 staff data in 2013, with the lead plaintiff receiving $10,000 and the remaining 108 participants receiving $2400 each.
Centennial Lawyers is also continuing to investigate a class action against Service NSW for its 2020 data breach that saw the personal information of 104,000 customers stolen in an email compromise.