Notification of Cyber Incident

We are informing you of a recent cybersecurity incident that has affected the Australian Centre for Heart Health (ACHH) (formerly the Heart Research Centre).

What Happened?

On 12 November 2024, we became aware of a ransomware attack where an unauthorised third party SafePay gained access to some of our IT systems, encrypted the contents of those systems and exfiltrated some data.

We engaged external IT consultants to investigate and restore our systems. At this time, we are unable to confirm which files have been exposed, and therefore what information may now be available to the malicious actors.

How We Are Responding

We are notifying stakeholders who could possibly be most affected by the breach by email or letter, where we had contact details, telling them what personal information may have been accessed/compromised.

We have notified and are working closely with the government and relevant authorities, including the Australian Cyber Security Centre, the Office of the Australian Information Commissioner, the Australian Tax Office as well as Services Australia.

We have updated our systems so that they are stronger and more secure and disabled the means by which the threat actors gained unauthorised access. Protecting data and ensuring the privacy of individuals is incredibly important to us. We are working to improve our internal controls and strengthen data security measures to prevent something like this happening again.

Types of data that may have been accessed

Note that this does not mean that all the forms of data apply to everyone in that category. See your notification letter for details.

Clinic clients – Identifying information including names, date of birth, gender, address, contact details, health information including psychological assessment, medications, comorbidities, Medicare number.

Training participants - Identifying information including names, address, contact details.

Research participants - Identifying information including names, date of birth, gender, address, contact details, UR number, Medicare number, health information.

Donors - Identifying information including name, date of birth, gender, address, contact details, financial information, gift history.

Current and former employees – Identifying information including names, date of birth, gender, address, contact details, financial information, tax information, superannuation, employment records

What You Should Do

As a valued stakeholder of ACHH, it’s wise to take steps to protect your information and ensure your own security. We strongly recommend the following:

1. Change Your Passwords: It is a good idea to change your password regularly, but after a data breach, it's especially important to change your passwords to something strong, secure, and unique. Do not use the same password for all your online accounts. You may want to consider using a password manager to help generate and keep track of your passwords.

2. Monitor for Suspicious Activity: Be vigilant for any unusual emails or text messages, especially those that ask for sensitive information or contain unexpected attachments or links. If your name and contact details were involved in a data breach, you may receive a personalised email or text message. Don’t open attachments or click on links in emails, texts or social media messages from strangers or if you are unsure whether the sender is genuine. These may be phishing attempts linked to the ransomware attack.

3. Enable Multi-Factor Authentication (MFA): If you haven’t already, enable MFA on your accounts to add an extra layer of security. Multi-factor authentication asks you to confirm your identity with two or more methods such as a password and a security code sent to your mobile phone. This will help protect against unauthorized access, even if your password is compromised.

4. Update Your Software: Ensure that your operating systems, applications, and antivirus software are up to date with the latest security patches. This will help safeguard against potential vulnerabilities.

5. Report Suspicious Emails or Activities: If you receive any suspicious emails or notice any unusual behaviour related to ACHH communications, please report it immediately to us at heart@australianhearthealth.org.au  or 03 9326 8544.

6. Take care on phone calls: Don’t share your personal information over the phone unless you are certain about who you are sharing it with. If someone calls you and claims to be from an organisation or an agency, you can hang up and verify the information by checking their website and then calling the organisation or agency back.

Measures that could be taken with regard to specific sorts of data that may have been accessed / compromised

Medicare

A Medicare card number belonging to you may have been exposed during the cyber incident.

Rest assured; your Medicare account cannot be accessed with your Medicare card number alone. Unlike a scan or copy of a Medicare card, a Medicare card number by itself cannot be used as proof of identity.

If you are concerned about the security of your Medicare account, please visit www.servicesaustralia.gov.au/databreach for more information on how you can protect your personal information after a data breach.

Superannuation

Contact your superannuation provider and explore with them what additional security measures they may have available to protect you.

Financial

Having your debit and credit card details exposed presents a risk of misuse. Although a BSB and account number does not present a direct misuse risk, the BSB identifies who the financial institution is, which may make impersonation scam attempts appear more legitimate. 

Contact your bank(s) and explore with them what additional security measures they may have available to you.

If you observe any unusual activity on your account or any misuse with your card, please speak directly to your bank or the card issuer using the telephone number listed on the card.

You may consider engaging a credit and identity monitoring service such as Equifax Protect, that helps reduce the risk of financial loss.

Tax Information

We have reported the incident to the Australian Taxation Office (ATO), in order that they can apply protective measures to your Tax File Number. These measures aim to detect fraudulent activity. There is nothing further you need to do; however, if you have any concerns, you may wish to contact the ATO’s specialist Client Identity Support Centre on 1800 467 033 Monday to Friday 8.00am–6.00pm AEST. More information is available on the ATO's website at https://www.ato.gov.au/general/online-services/identity-security-and-scams/help-for-identity-theft/data-breach-guidance-for-individuals/

Health Information

Whilst this information does not pose a direct identity related misuse risk, we acknowledge that for some people there may be concerns that arise due to the sensitivities associated with the exposure of personal health information. If you have any questions about your information, please contact privacy@australianhearthealth.org.au to arrange to speak with one of our staff.

Photos

For most people, photographs are considered low risk identity attributes. However, in combination with other attributes (such as your full name, date of birth, email address and phone number) scammers may be able to present themselves as more legitimate.

Employee documents

These include documents such as position descriptions, salary information and contracts, and in themselves do not pose a significant risk to identity theft. We acknowledge, however, that for some people there may be concerns that arise due to the sensitivities associated with the exposure of this information.  

Gift history

This information relates to donations received over time, eg last gift amount, total gift amount, number of gifts.

How we will keep you updated

We value our relationship with you and we deeply regret that this incident occurred. We will update our website if there are any significant developments.

If you have questions regarding this notification, please contact privacy@australianhearthealth.org.au