CHIRP Community Health CEO Message
In September CHIRP Community Health was informed by our information technology provider that we were the target of a cyber incident. This incident involved unauthorised access to our information technology system and access to historical client registration details. An investigation has found no evidence that this information was taken out of our system. However, taking a highly cautious approach and as part of our commitment to privacy, people we have addresses for who have been impacted by this data breach have received a letter from CHIRP CH and advised on the implications of the potential exposure and the actions we have taken.
On September 18, 2020 we were informed by our IT provider of unauthorised access to our IT system. We immediately investigated this with assistance from the Department of Health and Human Services. We identified an attempt to run spam emails using our IT systems. This attempt was successfully shut down. However, the investigation indicated that historical client registration information (2005-2014) stored on our system had been viewed during this unauthorised event. There was no evidence that personal information was removed from our system and an investigation has shown it has not been published on the internet.
This information on our system included name, address, phone number, date of birth, and for some people their Medicare number. It also contained the health program information that people may have registered for in a tick box, such as chronic disease and alcohol and drug services, the date registered, and in some cases marital status, and background such as refugee status.
What Has Been Done
CHIRP immediately took the following steps on discovering the cyber incident;
- Notified the Victorian Department of Health & Human Services to leverage their
specialist advisory team to assist in managing the response to the incident,
- Removed the unauthorised access and conducted a rigorous investigation by external expert cyber security investigators,
- Informed Services Australia to arrange additional security measures for individuals with exposed Medicare, Pension or Health Care Card information,
- Worked with IDCARE, Australia’s specialist identity security community service, to
understand the risk to impacted persons and arrange for support for people,
- Informed the privacy regulator – Office of Victorian Information Commissioner,
- Reported the matter to other relevant authorities; and
- Set up work with DHHS, the Loddon Mallee Health Information Technology Alliance and Castlemaine Health to progress information technology integration to mitigate against any future issues.
What are the most common uses of personal information?
Cyber criminals mainly want to gather enough personal information in order to access accounts that provide them financial gain or purchase products or services. The common uses for address and contact details together with Medicare numbers are:
- Undertaking telephone scams to obtain passwords to bank accounts or credit card details. Scammers will pretend to be from a Government department, Bank or Telco and use your details to prove they know you.
- Obtain health benefits using your Medicare Card number
- Attempt to open new accounts like credit cards, buy now pay later, or new phone accounts.
- Sometimes they create new social media accounts or emails in a person’s name.
Community members are welcome to contact us or IDCARE if they are concerned.
IDCARE is a national, not-for-profit identity and cyber-support service, to provide individual support to people whose information may have been compromised. This incident has a referral code IDC-CHM. IDCARE case managers are available from 8:00am – 5:00pm Monday to Friday (AEST). They can be contacted by web or by phone:
- Website: fill out an online Help Request Form
(https://www.idcare.org/contact/get-help) to book a time
- Phone: 1800 595 160 and leave a voicemail or call back message