We recently experienced a data breach when one employee’s Microsoft account and linked documents were accessed by an unauthorised third party as the result of a phishing incident.
To all of our people and valued customers, we assure you that we are taking this matter very seriously and we apologise for any inconvenience or distress that this incident may have caused.
Upon discovering the incident we immediately took steps to secure our system and contain its impact. We then commenced an investigation and engaged specialist cyber security experts to understand what happened and strengthen our systems.
During the incident, an unauthorised third party accessed personal identity information, personal identity documents and confidential information about some past and present Breakthru employees, job applicants and customers. It is possible that a copy of this personal information was taken by the unauthorised third party.
There is no current evidence of misuse of any individual’s personal information.
We have already informed the Office of the Australian Information Commissioner (OAIC) and the Australian Cyber Security Centre (ACSC) of the incident. We will continue to keep them informed as we continue our investigation.
Please know that we remain committed to protecting the personal information of all individuals. We thank everyone for your understanding and ongoing support, so that we can continue our important work in supporting people living with illness, injury or disability.
If you have a query about how we manage your personal information, please see further information about our Privacy Policy on our website.
We understand the importance that you place upon your personal information, and the protection of your information is always our utmost priority.
If you would like to know more about the incident and how you have been impacted, please email us at [email protected]
IDCARE
Our organisation has partnered with IDCARE, Australia’s national identity and cyber support community service. Please click here to reach IDCARE and fill in their form or call 1800 595 160.
We strongly recommend that you consider taking the following steps to protect yourself from potential scams and other harm like identity theft.
We urge you to remain vigilant and encourage you to access the support provided by IDCARE in the event you have any concerns.
We encourage you to take general precautions to protect your personal information, such as:
Remain alert to any suspicious email, SMS or telephone communications that are disguised to look like they come from someone you know or trust.
Verify the legitimacy of communications by authenticating the sender. This includes checking email names and domains.
Don’t respond to the suspicious communication but rather contact the person via their usual means of communication to verify the legitimacy of the communication.
Do not open links that look suspicious. If you are unsure about a link sent to you by a company, you should go to the company’s website and look for the product or service that was offered.
Be alert to phishing scams. This could include scams that target you through post or email. Phishing scams are attempts by scammers to trick people into providing their personal information, passwords, credit card numbers and/or sensitive personal information.
Consider changing your email account passwords. Make sure you use strong passwords that you do not use for other accounts. Enabling multi-factor authentication is a good idea where possible.
You can find further information about online safety, cyber security and helpful tips to cyber.gov.au.
Royal Rehab / Breakthru recently experienced a data breach where one employee’s Microsoft account and linked documents were compromised as the result of a phishing incident.
Our specialist cyber security experts have identified that during the access to the employee’s Microsoft account, an unauthorised third party accessed a mixture of personal identity information, personal identity documents and confidential information about some past and present employees, job applicants and customers. It is possible that a copy of this confidential information was taken by the unauthorised third party.
Our ongoing investigation has not identified any evidence to indicate that clinical systems or customer record systems were accessed or any other user accounts were compromised.
While there is no current evidence of misuse of any individual’s personal information, we are contacting individuals who have been impacted, in accordance with our commitment to communicating transparently.
Our organisation has notified the Australian Cyber Security Centre (ACSC) and Office of the Australian Information Commissioner (OAIC). We remain committed to protecting the personal information of all individuals and we apologise for any inconvenience or distress that the notification of this incident may have caused.
We became aware of the incident when our organisation identified suspicious emails sent from the compromised email account.
As soon as we discovered the incident, we immediately took steps to secure our system and reset access credentials for all users. We then commenced an investigation into the incident and engaged specialist cyber security experts to understand what happened.
The incident occurred when a single user clicked on a phishing link, which resulted in the compromise of a business email account. As soon as we discovered the incident, we immediately took steps to secure our system and reset access credentials for all users. We then commenced an investigation into the incident and engaged specialist cyber security experts to understand what happened.
We understand the importance that people place upon their personal information. The protection of your information is always our utmost priority. We know how important it is to be vigilant about securing people’s information.
We are informing individuals whose information has been accessed so that they can take the necessary steps to protect themselves and access the support we’re providing, and so they know where to direct any questions about this incident.
We are also informing individuals whose information has been accessed so that they can take steps to protect themselves such as changing passwords and updating identity documents.
Our specialist cyber security experts have confirmed that the unauthorised third party has accessed some personal identity information, personal identity documents and confidential information that current and former employees, job candidates and customers have provided to Breakthru.
It’s important to remember that our investigation has not identified any evidence to indicate that clinical systems or customer record systems were accessed or any other user accounts were compromised. We believe that the incident has been contained and we have also taken steps to further strengthen our system and passwords.
If your personal identity information or personal identity documents have been impacted, you will receive an email from [email protected]. This email will contain information about support available, as well as a form for you to complete if you are seeking more information about this incident and how you may have been affected.
If you have any other questions or would like to contact us, you can email [email protected].
If you have not received an email from [email protected], this means that our investigation so far has not identified any evidence that your personal identity information or personal identity documents have been impacted.
We are confident that the unauthorised third party does not have ongoing access to the employee’s compromised Microsoft account. However, we cannot exclude the possibility that the unauthorised third party took a copy of information that they were able to access during the incident. We have taken steps to further strengthen our systems.
Upon discovering the incident we immediately took steps to secure our system and contain its impact. We then commenced an investigation and engaged specialist cyber security experts to understand what happened and strengthen our systems.
In accordance with our commitment to communicating transparently, we are notifying all individuals who may have been impacted by this incident so that they can remain alert to scams and take any further steps to protect their personal information.
We have established a response team to support individuals who may have been impacted by this incident.
We have also notified the Australian Cyber Security Centre (ACSC) and Office of the Australian Information Commissioner (OAIC).
We remain committed to protecting the personal information of all individuals and we apologise for any inconvenience or distress that the notification of this incident may have caused.
We have established a response team to support individuals who may have been impacted by this incident.
We have also partnered with IDCARE, Australia’s national identity and cyber support community service.
While there is no current evidence of misuse of any individual’s personal information, records containing personal information were accessed and it is possible that a copy of this information was taken. This information could potentially be misused in the future, which is why we have communicated with those affected to provide them with steps they can take to protect themselves.
According to the Australian Cyber Security Centre, phishing is a way cyber criminals trick you into giving them personal information. They send you fraudulent emails or text messages often pretending to be from large organisations you know or trust. Read more here.
In the spirit of reconciliation, Royal Rehab acknowledges the Traditional Custodians of Country throughout Australia and their connections to land, sea, and community. We pay our respects to their Elders past, present and future and we extend our respects to all Aboriginal and Torres Strait Island peoples.