NDIS (Australia) 2021 Data Breach

NDIS Australia Disability Insurance Scheme Breach (2021): 12,000 Participant Health & Identity Records Exposed | ObscureIQ
ObscureIQ Breach Intelligence

Classification Tags

Unknown (deep web forum sample posted)MedicalDate of BirthEmail AddressFull NameGenderHealth InformationPasswordPhone NumberPhysical Address
Moderate SeverityWebsite / service breach

NDIS Australia Disability Insurance Scheme Breach (2021): 12,000 Participant Health & Identity Records Exposed

Government system managing disability insurance and participant data.

Verified by ObscureIQ Intelligence
53/100Breach Risk Index
40Data Value
10Market Recency
1427dSince Breach

Breach Intelligence Summary

Entity: NDIS (Australia) · Actor: Unknown (deep web forum sample posted) · Sources: 2 references
Attack: Unknown
Profile: Gov agency system · Client management system for Healthcare Insurace · National disablity · Australia
Timeline: Breach (2021-05-01) · Indexed (May 31, 2022) · Year (2021)
Exposure: 12K records · 10 fields: Date of Birth, Email Address, Full Name, Gender, Health Information, Password, Phone Number, Physical Address, Salutation, Username
Status: Reported

Executive Summary

CTARS, a Sydney-based cloud-based client-management system used by Australian National Disability Insurance Scheme (NDIS) service providers, suffered a data breach on May 15, 2022. An unauthorised third party gained access to CTARS systems and, six days later, posted a sample of the stolen data on a deep web forum. The company stated that it was unable to confirm the precise extent of the compromise given the volume of data involved, and chose to treat all information held in its database as compromised.\n\nHave I Been Pwned indexed approximately 12,000 unique email addresses and added the breach to its public database in May 2022 as a sensitive breach, meaning records are not publicly searchable. Compromised fields included names, dates of birth, gender, salutations, email addresses, phone numbers, physical addresses, usernames, passwords, and personal health information. The broader CTARS dataset reportedly also included Medicare details, pensioner card numbers, tax file numbers, and detailed disability-related health information including diagnoses, treatments, and progress notes for NDIS participants.\n\nFor affected individuals, the practical risk profile is unusually severe and durable. Inclusion in the dataset effectively confirms the existence of a disability or care relationship, which is itself a sensitive personal attribute. The combination of identity, contact, and health data creates risk of insurance fraud, employment discrimination, targeted scams referencing care arrangements, and exploitation of cognitive or physical vulnerabilities. Tax file number and Medicare exposure raises additional risk of identity-verification bypass at Australian government services. NDIS participants who used a service provider on the CTARS platform should remain alert to unsolicited contact referencing care, treatment, or government-benefit topics, and can access ongoing support through IDCARE using the referral code CTR22.

ObscureIQ assessment: Extremely sensitive. Exposure can enable identity theft, benefits fraud, exploitation of disabled individuals, and serious privacy harm tied to disability status and care relationships.

Breach Impact

The institutional impact fell across multiple parties. CTARS engaged external cybersecurity specialists, notified the Office of the Australian Information Commissioner and the Australian Cyber Security Centre, and arranged identity-theft support through IDCARE for affected NDIS participants and providers. Individual NDIS service-provider customers were responsible for notifying their own clients, which created uneven communication and gaps in consumer awareness. There has been no public regulatory enforcement action specifically tied to the breach, despite the unusually sensitive nature of the data. The reputational impact on CTARS has continued to surface in Australian privacy and disability-sector commentary as a reference incident illustrating regulatory weakness around health and disability information.

About NDIS (Australia)

The National Disability Insurance Scheme (NDIS) is the Australian government's primary support program for people with significant and permanent disabilities, funding services for approximately 500,000 Australians. The scheme itself is administered by the National Disability Insurance Agency (NDIA), but service-delivery records are typically held by individual disability-service providers using third-party software platforms. CTARS is one such platform: a Sydney-based cloud-based client-management system used by NDIS service providers, out-of-home care providers, and aged-care operators to record participant details, care plans, progress notes, and other operational data. Health and disability information held in these systems is unusually sensitive even by healthcare-sector standards.

Why They Hold Your Data

Government disability-service systems collect highly sensitive client identity, contact details, eligibility records, care and support-service data, provider relationships, and billing or case-management information.

Recent Developments

CTARS continues to operate as a software provider in the Australian disability and care sector following the breach. NDIS-system reform and broader Australian privacy-law modernisation have continued through 2025 and into 2026, with the Privacy Act amendments expanding obligations on data handlers and providing new pathways for redress. The Australian Information Commissioner was notified at the time of the original incident, although civil-society reporting has questioned whether sufficient regulatory follow-up occurred. Crikey and Choice published reports describing the CTARS incident as 'a much more serious breach than Optus' because of the sensitivity of the medical data involved, even though Optus drew far greater public attention.

Data Points Exposed

10 verified field types
Date of Birth High
Email Address
Full Name High
Gender
Health Information Critical
Password Critical
Phone Number
Physical Address High
Salutation
Username

Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.

Exploitation & Downstream Threats

Threat Activity:High
Primary downstream threats:
  • Credential stuffing against reused passwords across other platforms
  • Identity verification bypass using name + date of birth combination
  • SIM swap attacks where phone numbers are present
  • Targeted phishing campaigns using exposed email addresses
  • Doxxing risk from physical address exposure
Threat vectors:
  • Identity verification bypass
  • Phishing, credential stuffing & account takeover
  • Name-based social engineering
  • Profile enrichment
  • Insurance fraud & employment discrimination
  • Credential stuffing & account takeover
  • SIM swapping, vishing & SMS phishing
  • Physical stalking, mail fraud & identity verification
  • Professional impersonation seeding
  • Cross-platform tracking & credential stuffing

Threat Actor: Unknown (deep web forum sample posted)

Unknown (deep web forum sample posted)
Unknown

Attribution and method are based on available breach intelligence. Reported attack vector: Unknown.

Recommended Actions

If you believe your information may be included:

Change Reused Passwords
Update this account and anywhere you reused the password; use a manager.
Password manager guide
Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Find 2FA settings
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
IdentityTheft.govReport to FTC

Frequently Asked Questions

What happened in the NDIS (Australia) breach?

CTARS, a Sydney-based cloud-based client-management system used by Australian National Disability Insurance Scheme (NDIS) service providers, suffered a data breach on May 15, 2022. An unauthorised third party gained access to CTARS systems and, six days later, posted a sample of the stolen data on…

What data was exposed?

Verified fields include Date of Birth, Email Address, Full Name, Gender, Health Information, Password, Phone Number, Physical Address, Salutation, Username.

What should I do if I was affected?

Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.

Sources & References

Every claim on this page is traceable. This breach draws on:

Breach Index
Have I Been Pwned
Record & field corroboration
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Risk Index scoring & downstream-threat assessment

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation