NDIA detects data breach

The National Disability Insurance Agency (NDIA) has detected a data breach involving the alleged unauthorised disclosure of the personal details of some National Disability Insurance Scheme (NDIS) participants and related parties. 

The information that was disclosed involved some details recorded in the NDIA’s system; including: 

  • Full name 
  • Date of birth 
  • Gender 
  • Address, including postcode 

 In a small number of cases, the Agency is aware of further details being disclosed.

All impacted individuals will be directly contacted by the NDIA.

An NDIA staff member has been arrested and charged with the alleged unauthorised disclosure of information to two individuals who had been acting as NDIS providers.  

The pair have been barred from delivering supports to NDIS participants, with the NDIS Quality and Safeguards Commission issuing banning orders against the individuals and two associated provider companies. 

One of these individuals has also been arrested and charged in relation to this matter. 

The NDIA continues to actively monitor the situation. 

We would like to reassure everyone that this will not impact any participant’s ability to receive services.

All participants can continue receiving their disability supports in the usual way.  

The NDIA understands this may cause distress to participants, as well as their families, carers and supporters.

We sincerely apologise for any distress caused. 

The Agency has worked to identify and begun contacting any affected participants impacted by this activity, to ensure they continue to receive their NDIS supports.

This has included supporting some participants to find alternative providers to deliver their services. 

Participant welfare has been our absolute priority. We are actively working with participants and their nominees to protect their plans. We are also actively monitoring plans and account transactions for any unusual or suspicious activity.  

There is no need to contact us.

However, if you need to contact us, please do so by: 

  •   calling 1800 800 110 (Monday to Friday, 9:00am to 6pm AEDT) or 
  • emailing [email protected] 

 We would like to stress this was not a cyber-attack on the NDIA's computer systems. 

Please be assured that the Agency is taking this matter extremely seriously and is working to ensure that NDIS systems and protocols are able to prevent, detect and remediate these types of breaches.  

The NDIA has reported the data breach to the Office of the Australian Information Commissioner (OAIC) under the Notifiable Data Breaches (NDB) scheme. 

The NDIA detected the breach during an investigation by the Fraud Fusion Taskforce. More information available in media release.