We regret to inform you that we have experienced a data breach that may have compromised personal information of a small number of our clients of our Broadmeadow centre. Protecting the privacy and security of our clients' information is of utmost importance to us, and we are taking this incident very seriously.
We are deeply sorry to inform you that we believe some personal information belonging to patients at our Broadmeadow Service Site located at Konara, Suite 2, Level 3/15 Lambton Rd, Broadmeadow NSW 2292, may have been lost in an incident that took place on or about 13 July 2022.
The incident involved loss of a hard copy exercise book containing personal information belonging to patients as a result of a regrettable human error. While we do not know exactly how many clients were affected or who those clients are it is estimated that there may be up to a dozen clients' information contained within the exercise book based on our assessment of similar record keeping practices.
While we have not received any information suggesting that any patient’s personal information has in fact been accessed by an unauthorised party, or that personal details of any patient have definitely been accessed, we have decided to inform all our patients at our Broadmeadow Service Site, who may potentially have been affected by the data breach.
What information was involved?
The exercise book has a number of hospital stickers pasted in it, together with handwritten notes made by the relevant surgeon. Based on our assessment of similar record keeping practices, we believe the information lost may include some or all of the following:
- Phone number
- Admission date
- Date of birth and age
- Medicare number and expiry date
- Private healthcare card number
- Name of doctor/surgeon
- Pensioner card number
- Handwritten notes by surgeon most likely to be contained as codes and serial numbers.
Following reasonable enquiries, we do not believe the following information has been lost:
- Your credit card and/or financial details
- Primary identity documents
- NDIS claims data.
Given the type of information lost, we are of the view that there is potential for identity theft.
Actions we have taken
We sincerely regret this incident and assure you that we have improved our systems to mitigate against this situation from arising again.
The actions we have taken include:
- Immediately after becoming aware of this incident, significant efforts were made to attempt to locate the lost exercise book (by checking with the surgeon, their office and also the hospital where the procedures took place).
- Sign off procedures between NextSense and the surgeon team and the hospital have been reviewed and a new process has been implemented to ensure security and handover of documentation occurs on each occasion.
- A permanent secure electronic register has been implemented to track movement of this data and sensitive information. We are exploring electronic two-factor authentic security alternatives for the future as a means of further refining security measures associated with the data transfer process.
- An audit process has also been implemented to ensure compliance at a frequency of no less than once per quarter.
What you can do to protect your data/information
If you are concerned about the potential loss of your personal information and may be a victim of identity theft, you may visit IDCARE, Australia and New Zealand’s National Identity and Cyber Support Service. Their contact number is 1800 595 160.
Please be assured that people cannot access your Medicare details with just your Medicare card number. If you are concerned, you can replace your Medicare card using your Medicare online account through myGov.
Extra precautions you can take
We recommend being vigilant with your online communications and transactions namely:
- Be alert for any phishing scams that may come to you by phone or post.
- Being careful when opening or responding to texts from unknown or suspicious numbers.
- Make sure to verify any communications you receive to ensure they are legitimate.
NextSense and our surgeon team will never contact you asking for your password or additional financial details over text or post.
For more information
Please note that this event has been assessed as an ‘eligible data breach’ under Part IIIC of the Privacy Act 1988 (Cth) and the Office of the Australian Information Commissioner has been notified of this event. This notification has been issued under section 26WK of the Privacy Act 1988 (Cth).
If you are feeling distressed or anxious, please reach out. You can contact your GP or the following support services:
If you have any questions, please contact Nicholas Butler, Head of Enterprise Risk at NextSense at Nicholas.Butler@nextsense.org.au.