Privacy breach alert

TUH reports privacy incident to OAIC

TUH has reported a breach of member data to the Office of the Australian Information Commissioner (OAIC).

The breach occurred on [DAY DATE] between [TIME] and [TIME].  During this period, [ONE SENTENCE OF SUMMARY OF DATA BREACH, INCLUDING TYPE OF PERSONAL INFORMATION INVOLVED]

We believe the breach to have affected [NUMBER] members.  [INSERT ANY OTHER QUALIFYING INFORMATION EG WERE ON THE WEBSITE AT THE TIME, LOCATED IN A PARTICULAR AREA, PERFORMING A PARTICULAR ACTIVITY ETC]

TUH apologises to members affected by this issue. We take the privacy and sensitivity of our members’ personal information extremely seriously.

We have notified the relevant authorities, including OAIC, police and [ANY OTHERS AS NEEDED EG REGULATORS, FINANCIAL INSTITUTIONS ETC].  This is the first time TUH has had a data breach of this nature, and we have launched an internal review and will take all necessary actions to mitigate future incidents. [IF ACCURATE]

TUH is directly contacting those members affected by the incident.  We encourage those members to [OUTLINE ACTIONS EG RESET THEIR PASSWORDS / ADVISE THEIR FINANCIAL INSTITUTION / REPORT SUSPICIOUS TRANSATIONS ETC]

Any member concerned about their account details should contact TUH on 1300 360 701.

TUH action 

Once the breach was identified, TUH immediately [SHUT DOWN THE WEBSITE / WEB PAGE / ONLINE PORTAL ETC].  The cause of the issue has now been fully resolved and services restored.  [OR PROVIDE GUIDANCE ON WHEN SYSTEMS WILL BE OPERATIONAL AGAIN]

TUH works closely with expert national IT systems provider HAMBS to ensure its platforms are secure. HAMBS conducts ad-hoc and periodic security scanning and assessments of the systems used by TUH, and ensures they are well maintained and up-to-date. It also uses an external certified group to conduct attack and penetration tests.

HAMBS’s systems have been developed to comply with the regulatory requirements of the health industry and in accordance with the Australian Privacy Principles, prescribed in the Commonwealth Privacy Act 1988.