JewishCare NSW, a healthcare provider for those in the Australian Jewish community, has disclosed a major data breach.
The healthcare firm said that on 28 October, it discovered that it had suffered a cyber incident and that data may have been compromised and posted on the dark web.
While the data exfiltrated per person varies depending on the relationship the individual had with JewishCare, clients, staff, volunteers, donors and suppliers, current and former, were affected.
Client data – dates of birth, phone numbers, email addresses, residential/postal addresses, bank account information, credit card details and statements, identity documents such as Medicare cards, passports and licenses, photos, next-of-kin data and other family information, wills, incident reports, court orders, including domestic violence family orders, information shared between clients and JewishCare, including on-call logs, service instructions, consent forms, service level agreements, funding information and allocation letters, and health and medical data, including do-not-resuscitate plans, client and provider assessments, Medicare details, medical history and care plans.
Donor data – donor IDs, contact information such as emails, phone numbers and residential/postal addresses, payment details, history of payments and communications with JewishCare, which could contain personal experiences, health information about individuals and their loved ones and more.
Staff data – birth dates, contact and emergency contact information, including emails, phone numbers and residential/postal addresses; onboarding information and documents such as passports, driver’s licenses, Medicare card scans, background check information and visa data; employee-specific information, including bank account, superannuation, TFN, salary package and remuneration, PAYG details, payslips, timesheets, payroll details, employee file data, including Centrelink details, expense reimbursements, absence details, performance, illness and other employment records, working with children checks, child support information, criminal checks and NDIS worker checks.
Volunteer data – birth dates, contact and emergency contact information such as emails, phone numbers and residential/postal addresses; volunteer onboarding information and documents such as passports, driver’s licenses, Medicare card scans, background check information and visa information; volunteer file information, including Centrelink details, expense reimbursements, absence details, performance, illness and other employment records, working with children checks, criminal checks and NDIS worker checks.
Supplier data – contact information such as emails, phone numbers, and residential/postal addresses, as well as payment details such as bank account information, certificates of currency, and invoice descriptions.
It is worth noting data exfiltrated of an individual varies from person to person. The data listed above does not define how much data has been exfiltrated by each person, but the possible data accessed.