JewishCare NSW, a healthcare provider serving the Australian Jewish community, has confirmed a significant data breach. The organization reported discovering a cyber incident on October 28, revealing that sensitive information might have been compromised and shared on the dark web.
Impacted Groups and Potential Data Exfiltration
The breach affects individuals across various categories, including clients, staff, volunteers, donors, and suppliers, both current and former. The scope of the stolen data varies depending on an individual’s association with JewishCare but may include the following:
Client Data
– Personal Details: Dates of birth, phone numbers, email and postal addresses.
– Financial Information: Bank account details, credit card data, statements.
– Identity Documents: Medicare cards, passports, driver’s licenses, and associated photos.
– Health Records: Medical history, care plans, Medicare details, DNR plans, client assessments.
– Family and Legal Records: Next-of-kin data, wills, court orders (including domestic violence family orders), incident reports.
– Service Interaction Data: On-call logs, consent forms, funding allocation letters, and service agreements.
Donor Data
– Contact Details: Emails, phone numbers, postal addresses.
– Financial Records: Payment details, donation histories.
– Personal Information: Communications with JewishCare that may contain health-related or private details about donors and their families.
Staff Data
– Personal Information: Dates of birth, contact details, emergency contacts.
– Employment Records: Bank details, TFNs, salary information, timesheets, performance records, superannuation details, payroll, PAYG records, and working with children checks.
– Identity Documents: Passports, driver’s licenses, Medicare cards, visa information.
– Background Checks: Criminal records, child support details, NDIS worker checks.
Volunteer Data
– Personal Details: Birth dates, contact and emergency contact information.
– Onboarding Information: Identity documents, Medicare cards, passports, background checks, working with children certifications.
– Volunteer Records: Performance reviews, reimbursements, absence details, criminal checks, NDIS worker checks.
Supplier Data
– Business and Contact Information: Emails, phone numbers, postal addresses.
– Payment Information: Bank account details, invoices, and certificates of currency.
Breach Severity and Individual Variability
The extent of data accessed for each individual depends on their specific relationship with JewishCare. Not all individuals have the same set of information exposed, and the above list represents potential, not confirmed, data exfiltration.
JewishCare has advised affected individuals to remain vigilant and take steps to protect their personal information.