Letter to impacted clients.

Dear Valued Clients,

We value your business and respect the privacy of your information, which is why, as a precautionary measure, we are writing to let you know about a data security incident that involves your personal information.

Although we are unaware of any actual misuse of your information, we are providing notice to you and other potentially affected patients about the incident, and about tools you can use to protect yourself against possible identity theft or fraud.

 

What Happened?

On Saturday 19th September, our on-premises server was subjected to cyber-attack and the server became inoperable. It is unclear exactly what type or nature of attack on the server took place, however, it was likely some form of Cryptolocker. 

Cryptolocker is a malware that infects your computer and then searches for files to encrypt. Hackers encrypt the data making it no longer accessible to the computer owner. The Cryptolocker virus will display warning screens indicating that the data will be destroyed if you do not pay a ransom.

The Australian Government Cyber Security Centre (ACSC) advises that victims should not pay the ransom, and instead they recommend restoring the files from a backup. This means we totally removed all data from our server and reinstalled our medical software.

Our server housed health records of our patients in the form of emails, documents and health care related information primarily stored within a software application called ‘Best Practice‘.

We do not know if any personal information was accessed or compromised.

The data that could have been accessed may have included information such as:

  • Personal Information from which your identity is apparent or can reasonably be ascertained such as your name, address, date of birth and contact information
  • Health information such as records of health services provided, consultation notes, invoicing and financial records
  • Government Identifiers such as your Medicare or DVA card number

Diabetes And Health Solutions values your privacy and deeply regrets that this incident occurred.

What we have done to protect your information and prevent this happening again?

We have implemented additional security measures designed to prevent a recurrence of such an event, and to protect the privacy of our patients.

To that end we have decommissioned our on-premises server and moved to a specialist hosting provider that specialises in the secure hosting of practice management software used by professional services firms in Australia.

Other security measures have also been implemented with the supporting advice of IT consultants (such as multi factor authentication and use of a VPN) to reduce the likelihood of future recurrence. 

 

We have also notified the Office of the Australian Information Commissioner (OAIC) and the Australian Cyber Security Centre (ACSC) to help ensure the incident is properly addressed.

What Can You Do?

Recommendations for Clients

These recommendations are in line with those of the Office of the Australia Information Commissioner and they may not be relevant to everyone, but you should consider and take appropriate steps.

 

Type of data breach

Recommended actions

Financial Information 

(credit card details, online banking logins)

·    Contact bank or financial institution (using details found on their website or phonebook) and cancel cards where necessary.

·    Change online banking passwords.

·    Change banking PIN number.

·    Monitor bank account transactions and account statements.

·    Report any unknown transactions to your bank immediately. 

Contact Information

(home address, email, phone number)

 

·    Change email account passwords.

·    If you emailed yourself online account passwords (such as online banking password) change these also.

·    If you have emailed or stored identity document information (such as drivers’ licence or passport) and believe the information has been accessed, contact the issuing authority.

·    Enable multi-factor authentication where possible.

·    Ensure you have up to date anti-virus software on any device you use to access your emails.

·    Do not open attachments or click links in emails or social media messages from strangers or if you’re unsure that the sender is genuine.

·    Do not provide personal information unless you are certain about who you are sharing it with. (i.e. if someone calls you from an agency (such as a telco) hang up and call the company back using details from their website.)

·    Keep an eye on your accounts for any unusual activity. If you suspect you could be a victim of identity fraud, we recommend contacting IDCARE (www.idcare.org or 1300 432 273), which offers personalised support to individuals who are concerned about their personal identification.

Health Information

·    Contact your doctor, local crisis team, a support service or your family or friends if you experience distress.

Sensitive Information

(about sexuality, race, political views, etc.)

·    Contact your doctor, local crisis team, one of the support services listed below, or your family or friends if you experience distress.

·    If your physical safety is at risk, contact the police.

·    The Office of the eSafety Commissioner has resources that provide advice on a range of online safety issues, which may help you if you experience online harassment, racism, or abuse: https://www.esafety.gov.au/ 

Tax File Number (TFN) information

·     Contact the Australian Taxation Office (ATO). The ATO can apply security measures that will monitor unusual activity with your TFN.

 

Government identity document information

(e.g. drivers’ licence, Medicare card, passport). 

·    Contact the issuing agency.

·    Monitor your credit report, and if you suspect your identity has been stolen contact the police. 

 

The OAIC provides advice and resources for consumers who may have had their information involved in a data breach. We encourage you to review the advice on how to respond following a data breach notification at the following link: https://www.oaic.gov.au/privacy/data-breaches/respond-to-a-data-breach-notification/

 

We would like to sincerely apologise for any inconvenience or distress this situation has caused. As mentioned previously we do not know if there was a breach in data, but we are following best practice guidelines in informing our valued clients.  

 

For further information and assistance, please contact our practice at 07 4019 2660 between 9:00am and 5:00pm daily.

Yours Sincerely

Ingrid Hagne
Credentialed Diabetes Educator/ Director
Diabetes And Health Solutions
17 Upward Street, Cairns, 4870