APUNIPIMA CYBER-SECURITY INCIDENT UPDATE (Wednesday 22 March, 2023)

Notification of Apunipima patient, client and staff information possibly accessed during cyber-incident

As previously advised, Apunipima Cape York Health Council (Apunipima) experienced a cyber-incident in October 2022 where an unknown third-party gained unauthorised access to some of Apunipima’s computer systems and may have viewed some personal information of Apunipima patients, clients, and staff.

As soon as we became aware of the incident, we reported it to relevant authorities including the Australian Cyber Security Centre (ACSC), the Office of the Australian Information Commissioner (OAIC) and relevant Government agencies. We also issued a number of public announcements that the incident had occurred and worked alongside IDCARE to provide initial advice and support to members of the community whose information may have been involved.

We recently completed our forensic investigation which has confirmed that some information (see full list below) stored in Apunipima’s computer system at the time of the incident may have been accessed by the unauthorised third-party.

While this information may have been accessed, we would like to reassure you that:

• our investigation has revealed no evidence that any of this personal information has been misused;
• the involved information is mostly Medicare numbers and other transactional health information, such as a healthcare identifiers. For a small number of individuals, other information types may have been involved as well;
• Apunipima has already taken a number of precautionary steps to protect the information that may have been accessed, including liaising with Services Australia and the Australian Tax Office, which means the risks associated with that information is low.

Please note that each individual is affected differently, and if your information has been involved you will shortly receive a tailored statement via postal mail confirming precisely what information of yours was involved, and steps we recommend you take in response.

In the meantime, we recommend all previous Apunipima patients, clients and staff who may have provided Apunipima with any of the information types listed below review the advice we have included below those information types.

We sincerely apologise that this incident happened and for any concern it may cause our valued patients, clients and staff across the Cape York region.

If any member of the community has questions after reading this notification, please visit an Apunipima centre and ask to speak to one of our managers about the cyber-incident; they will be able to answer any questions you may have. You can also contact our support team on (07) 4037 7192 (between 8.30am to 4.30pm AEST Monday to Friday) or email notify@apunipima.org.au.

Yours sincerely

Debra Malthouse

Chief Executive Officer
Apunipima Cape York Health Council

 

---

Steps you can take to protect yourself from potential data misuse

Questions and Answers

Q:         What information was involved?

A:         The following information of some of our patients, clients and staff may have been accessed during the cyber incident.  Please note that each individual is affected differently, and if your information has been involved you will shortly receive a tailored statement via postal mail confirming precisely what information of yours may have been impacted.

• Contact information
  • Name
  • Email address
  • Street address
  • Phone number
• Tax File Numbers (TFNs)
• Medicare card numbers (numbers only, not card copies)
• Expired Medicare card numbers (numbers only, not card copies)
• Medicare card copies
• QLD driver licence numbers/card numbers (numbers only, not card copies)
• QLD driver licence copies
• Passport copies
• Expired passport copies
• Healthcare identifiers
  • Individual Health Identifier numbers
  • URNs
  • UIDs
  • NDIS
  • Medical claim numbers
• Bank card copies
• Bank card (credit card number and expiry date) details
• Expired bank card (credit card number and expiry date) details
• Centrelink Customer Reference Numbers (CRNs)
• Health information identifiers
  • Medical conditions
  • Medication details
  • Allergies
• Change of name certificate copies
• Superannuation membership IDs

Q:         What precautionary steps can I take?

A:        We recommend that anyone who may have provided us with the above types of information should consider their individual circumstances and consider taking the following steps:

Contact information

Where a third party may have accessed your contact information, it is important to:

• be aware of email, telephone and text-based scams. Do not share your personal information with anyone unless you are confident about who you are sharing it with.
• when on a webpage asking for your login credentials, take note of the web address or URL (‘Uniform Resource Locator’). The URL is located in the address bar of your web browser and typically starts with https://.
• if you are suspicious of the URL, do not provide your login details. Contact the entity through the usual channels to ensure you are logging into the correct web page. Please note that Apunipima will never contact you to ask for your username or password.
• enable multi-factor authentication for your online accounts where possible, including your email, banking, and social media accounts.
• ensure you have up-to-date anti-virus software installed on any device you use to access your online accounts.
• follow the Australian Competition and Consumer Commission’s Scamwatch guidance for protecting yourself from scams here: https://www.scamwatch.gov.au/get-help/protect-yourself-from-scams/
• for more information, you can visit the OAIC’s tips for further guidance about protecting your identity: https://www.oaic.gov.au/privacy/your-privacy-rights/tips-to-protect-your-privacy/.

Tax File Numbers (TFNs)

Some TFN information may have been accessed during the cyber incident.

We have told the Australian Taxation Office (ATO) that TFNs may have been accessed . The ATO is in the process of setting up monitoring and applying protective measures for the affected TFNs. As a result, we consider the risk associated with this information to be low.

There is nothing further you need to do, however if you want to contact the ATO yourself you can contact them via:

• telephone: 1800 467 033 (available 8am to 6pm AEDT, Monday to Friday).

More information is available on the ATO’s website.[1]

Medicare card numbers (numbers only, not card copies)

Some Medicare card numbers (not copies of Medicare cards) may have been exposed during the cyber incident.

People can’t access your Medicare details or Medicare account with just your Medicare card number. Unlike a scan or copy of a Medicare Card, a Medicare card number by itself cannot be used as a proof of identity.

We have already told Services Australia that some Medicare card numbers may have been exposed during the cyber incident. Services Australia will be increasing the security on these Medicare accounts to protect the related Medicare records from being misused. As a result, we consider the risk associated with this information to be low.

If you are concerned about the security of your Services Australia accounts, you can contact the Services Australia Helpdesk on 1800 941 126 (available 8am to 5pm AEDT Monday to Friday).

We also suggest you look at the latest copy of your consumer credit report for anything unusual. Instructions on how to get a credit report or credit ban is provided towards the end of this letter.

Expired Medicare card numbers (numbers only, not card copies)

Some expired Medicare card details (not copies of your Medicare card) may have been accessed during the cyber incident. Please be assured people can’t access your Medicare details with just your expired Medicare card number. Unlike a photocopy of a Medicare Card, the expired number in isolation is generally not sufficient as a point of identification and therefore poses a limited risk of misuse.

As an added precaution, we have alerted Services Australia to the incident and that some expired Medicare numbers were included in the affected dataset. Services Australia will be increasing the security on the related Medicare account to protect your Medicare records and to detect suspicious activity. As a result, we consider the risk associated with this information to be low.

It is recommended that you monitor your Medicare, Centrelink and MyGov accounts and if you are concerned about the security of your Services Australia accounts, you can contact the Scams and Identity Theft Helpdesk on 1800 941 126 (available 8am to 5pm AEDT Monday to Friday).

We also recommend that you review and continue to monitor your consumer credit report for any discrepancies or unusual activity. Information about obtaining a credit report or credit ban is provided towards the end of this notification statement.

Medicare card copies

Some Medicare card copies may have been exposed during the cyber incident.

We have already told Services Australia that copies of some Medicare cards may have been exposed. Services Australia will be increasing the security on the exposed cards card to prevent anyone from accessing the related Medicare records or misusing the exposed Medicare card. As a result, we consider the risk associated with this information to be low.

Note: if there are multiple people named on an exposed Medicare card, Services Australia will be increasing security and protection for these records as well.

• to help protect your personal information you can request a replacement Medicare card using your Medicare online account through myGov.
• the Services Australia website contains helpful information about the steps you can take to replace your card, if that’s what you want to do: https://www.servicesaustralia.gov.au/databreach
• for help on replacing a Medicare card you can contact the Medicare general enquiries line on 132 011.
• if you are concerned about the security of your Medicare, Centrelink and myGov accounts, you can contact the Services Australia Helpdesk on 1800 941 126 (available 8am to 5pm AEDT Monday to Friday).

We also suggest you look at the latest copy of your consumer credit report for anything unusual. Instructions on how to get a credit report or credit ban is provided towards the end of this letter.

QLD driver licence and/or card numbers (numbers only, not card copies)

Some driver licence and/or card numbers (as opposed to photocopies of licences) may have been accessed during the cyber incident.

Any unauthorised access to your driver licence number and/or card number does not affect its validity and you are still able to use it for its intended purpose, and as a valid form of proof of identity.

We recommend that you review and continue to monitor your consumer credit report for any discrepancies or unusual activity. Information about obtaining a credit report or credit ban is provided towards the end of this notification statement.

Should you wish to replace your Queensland driver licence, we recommend that you:

• visit the Department of Transport and Main Roads (TMR) website below to confirm your eligibility:
  https://www.service.transport.qld.gov.au/replacedriverlicence/public/Welcome.xhtml?dswid=-1578; or
• attend a Queensland Government Agency Program (QGAP) or Queensland Police Service (QPS) that offers TMR services to confirm your eligibility. A list of QGAP and QPS facilities that offer TMR services can be found here: https://www.qld.gov.au/about/contact-government/contacts/government-service-offices; or
• speak with the Indigenous Driver Licencing Unit (IDLU) when it next visits your community. More information about the Indigenous Driver Licencing Program is available here: https://www.qld.gov.au/transport/licensing/indigenous-driver-licence-program#visit

Individuals impacted may wish to consider the impact of replacing their IDs as this may prevent you from using the licence as a form of ID, obtaining credit for legitimate purposes or affect your travel plans in the short term while IDs are being reissued. Please consider this advice and your own circumstances before deciding to replace your ID.

QLD driver licence copies  

Some copies of driver licences may have been accessed during the cyber incident.

Any unauthorised access to your driver licence does not affect its validity and you are still able to use it for its intended purpose, and as a valid form of proof of identity.

We recommend that you review and continue to monitor your consumer credit report for any discrepancies or unusual activity. Information about obtaining a credit report or credit ban is provided towards the end of this notification statement.

Should you wish to replace your Queensland driver licence, we recommend that you:

• visit the Department of Transport and Main Roads (TMR) website below to confirm your eligibility:
  https://www.service.transport.qld.gov.au/replacedriverlicence/public/Welcome.xhtml?dswid=-1578; or
• attend a Queensland Government Agency Program (QGAP) or Queensland Police Service (QPS) that offers TMR services to confirm your eligibility. A list of QGAP and QPS facilities that offer TMR services can be found here: https://www.qld.gov.au/about/contact-government/contacts/government-service-offices; or
• speak with the Indigenous Driver Licencing Unit (IDLU) when it next visits your community. More information about the Indigenous Driver Licencing Program is available here:https://www.qld.gov.au/transport/licensing/indigenous-driver-licence-program#visit

Individuals impacted may wish to consider the impact of replacing their IDs as this may prevent you from using the licence as a form of ID, obtaining credit for legitimate purposes or affect your travel plans in the short term while IDs are being reissued. Please consider this advice and your own circumstances before deciding to replace your ID.

Passport copies

Some copies (scans/photocopies) of passports may have been accessed during the cyber incident.

Any unauthorised access to your passport does not affect its validity and you are still able to use it for travel and as a valid proof of identity.

We recommend that you:

• refer to the data-breach frequently asked questions (FAQs) on the Australian Passport Office website here: https://www.passports.gov.au/data-breaches
• review and continue to monitor your consumer credit report for any discrepancies or unusual activity. Information about obtaining a credit report or credit ban is provided towards the end of this notification statement.

Carefully consider the impact of replacing your passport if you are thinking of doing so. Replacing a passport may prevent you from using it as a valid form of ID, obtaining credit for legitimate purposes or affect your travel plans in the short term while a new passport is being issued. Please consider this advice and your own circumstances before deciding to replace your passport.

Expired passport copies

Some expired copies (scans/photocopies) of passports may have been accessed during the cyber incident.

An expired passport can be used for digital verification purposes for up to 3 years after the date of expiry.

As such, we recommend that you:

• refer to the data-breach frequently asked questions (FAQs) on the Australian Passport Office website here: https://www.passports.gov.au/data-breaches
• review and continue to monitor your consumer credit report for any discrepancies or unusual activity. Information about obtaining a credit report or credit ban is provided towards the end of this notification statement.
• carefully consider the impact of replacing your passport if you are thinking of doing so. Replacing a passport may prevent you from using it as a valid form of ID, obtaining credit for legitimate purposes or affect your travel plans in the short term while a new passport is being issued. Please consider this advice and your own circumstances before deciding to replace your passport.

Individual Health Identifier numbers

Some individual health identifier numbers may have been accessed during the cyber incident. Whilst it may be concerning to have your individual health identifier number accessed in this way, it cannot be used as a valid form of proof of identity.

If you are concerned, please contact the Apunipima support team on (07) 4037 7192 (between 8.30am to 4.30pm AEST Monday to Friday) or email notify@apunipima.org.au.

Bank card copies

Some copies (scans/photocopies) of bank cards (including credit card numbers and expiry dates) may have been accessed during the cyber incident.

You may wish to:

• review your recent transaction history and bank card statements for any suspicious activity.
  contact your bank to report this event and flag any suspicious activity identified.
• follow any guidance from your bank.

Bank card details (credit card number and expiry date)

Some bank card details (credit card number and expiry date) may have been accessed during the cyber incident.

You may wish to:

• review your recent transaction history and bank card statements for any suspicious activity.
  contact your bank to report this event and flag any suspicious activity identified.
• follow any guidance from your bank.

Bank card (credit card number and expiry date) details (expired)

Some expired bank card details (credit card number and expiry date) may have been accessed during the cyber incident.

You may wish to:

• review your recent transaction history and bank card statements for any suspicious activity.
  contact your bank to report this event and flag any suspicious activity identified.
• follow any guidance from your bank.

Centrelink Customer Reference Number (CRNs)

Some Centrelink CRNs may have been exposed during the cyber incident and we have already told Services Australia about this. Your CRN by itself cannot be used as a proof of identity.

You do not need to request a replacement Centrelink card (if you have one). Services Australia will be arranging for increased security for the related Centrelink accounts to protect the associated Centrelink information.

If you are concerned about the security of your Centrelink account, you can contact Services Australia to add a verbal password. To increase the security of your online accounts, please consider using strong passwords and multi-factor authentication.

You can contact the Services Australia Helpdesk on 1800 941 126 (available 8am to 5pm AEDT Monday to Friday).

Health Information

Some health information may have been accessed during the cyber incident. This information is mostly in relation to allergies and/or prescriptions, with only a small number of individuals’ health conditions noted.

For context, cyber-criminals typically seek to misuse information that can be easily manipulated for financial gain (such as credit cards and identity documents for identity theft). For this reason, health information by itself is generally not useful to a cyber-criminal.

We know that it will be concerning to learn that your health information may have been accessed in this manner. Should you experience any anxiety or distress in relation to this, please seek medical advice from your regular Doctor. Free information is available here: https://www.beyondblue.org.au/the-facts/anxiety.

If you would like more information about the health information related to you that may have been involved, please contact the Apunipima support team on (07) 4037 7192 (between 8.30am to 4.30pm AEST Monday to Friday) or email notify@apunipima.org.au.

Change of name certificate copies

Some change of name certificate copies may have been accessed during the cyber incident. Any unauthorised access to an ID document of this type does not affect its validity and you are still able to use it for its intended purpose, and as a valid form of proof of identity.

However, if you are concerned, please contact the issuing authority of the certificate for advice and support.

We also recommend that you review and continue to monitor your consumer credit report for any discrepancies or unusual activity. Information about obtaining a credit report or credit ban is provided towards the end of this notification statement.

Superannuation membership IDs

Some superannuation membership ID information may have been accessed during the cyber incident. To reassure you, your superannuation membership ID by itself cannot be used to allow unauthorised access to your superannuation account.

However, you may wish to:

• check your transaction statements closely;
• contact your super fund to report this incident and request to have tighter security on your account, such as adding a security question only you would know the answer to, or a new PIN;
• where available use two-step authentication – such as SMS codes to your mobile phone;
• check your credit report yearly (this alerts you to any attempts to open a credit account in your name); and
• never respond to, open or click on links in emails purporting to be from your superannuation company (it is always safer to call).

 

Q:        I think I need a credit report or credit ban, where can I go to get one?  

A:        You can apply for an annual free credit report from one of the consumer Credit Reporting Agencies below.

You can also consider contacting the below credit reporting bodies to place a temporary ban on your credit report. This means that they will not be able to share your credit report with credit providers without your consent for 21 days (unless extended).

• Equifax: https://www.equifax.com.au/personal/products/credit-and-identity-products
• Illion: https://www.creditcheck.illion.com.au/
• Experian: http://www.experian.com.au/consumer-reports

Q:        Who can I contact for more information about cyber security and protecting my online identity?

A:         Additional general resources on identity and cyber security support can be found here:

• https://www.oaic.gov.au/privacy/data-breaches/data-breach-support-and-resources/
• https://www.idcare.org/

If you have any other questions after reviewing this notification, please contact the Apunipima support team on (07) 4037 7192 (between 8.30am to 4.30pm AEST Monday to Friday) or email notify@apunipima.org.au.

[1] Please see:  https://www.ato.gov.au/general/online-services/identity-security-and-scams/Help-for-identity-theft/Data-breach-guidance-for-individuals.

 

-END OF NOTIFICATION-