Participants of the National Disability Insurance Scheme (NDIS), including their families and carers, have been caught up in Australia’s landmark Russia-linked hack at HWL Ebsworth.

Australian government has been scrambling to discern the impacts of an April cyber incident at law firm HWL Ebsworth which saw a proclaimed four terabytes of data stolen at the hands of Russia-linked hackers.

The law firm has tens of millions of dollars in contracts across at least 40 government departments and agencies – and while the incident is known to entail data theft from certain Defence projects, the federal Fair Work Ombudsman and the Office of the Australian Information Commissioner, government officials are still working to determine the full extent of stolen Commonwealth data.

Now, the National Disability Insurance Agency (NDIA), which runs the NDIS, has confirmed the information of some NDIS participants has been affected.

“Some NDIS participants, prospective participants, their families and carers, and staff have been impacted by this breach,” reads an NDIA statement.

“The NDIA is working closely with HWL Ebsworth to ensure those affected are appropriately identified, notified and supported as we confirm what information has been affected.”

HWL Ebsworth is contracted to provide legal services to the NDIA, and while NDIA systems were not directly compromised, it has still found itself and its participants impacted by the hack.

The breach is particularly concerning for NDIS participants given the sensitive nature of personal and health information often processed by the disability funding scheme.

In a notably scant statement from late July, the NDIA said it was “working closely” with HWL Ebsworth to “ensure those affected are appropriately identified, notified and supported” as it confirms what information has been impacted.

“All impacted individuals will be directly contacted by the NDIA,” it said.

According to the ABC, a Tasmanian man received an email from the NDIA on 1 August informing him his “data, including personal information, may be involved in [the] breach”.

This email was reportedly sent seven days after it was publicly confirmed NDIS participants had been affected, and the general public is still waiting on answers regarding what data has been impacted.

“You're supposed to be able to trust professional agencies to keep your information confidential," he told the ABC.

When seeking comment on what participant data has been exposed or stolen, an NDIS spokesperson told Information Age they didn’t have anything further to add at this time.

Members of People with Disability Australia (PWDA), a national disability rights and advocacy organisation, expressed concern over the security of their private information and spoke to the Office of the Minister for the NDIS, Bill Shorten.

“I have been assured the NDIA is taking this matter extremely seriously and are taking measures to protect participant data and information security,” Shorten told PWDA.

PWDA President Nicole Lee said, “while news of the breach is understandably distressing for anyone who interacts and shares their personal information with the NDIS, we are reassured that both the NDIS and the Department of Social Services (DSS) are doing everything they can to support those impacted, while also ensuring any risk of this happening again in the future is mitigated.”

This isn’t the first time NDIS data has been leaked as a result of a third-party incident.

In 2022 – only months before the historical data breaches at Optus and Medibank – CTARS, a Sydney-based software firm which offers a cloud-based client management system for NDIS, suffered a hack which saw personal health information stolen and leaked online.

NDIA has reported its latest breach to the Office of the Australian Information Commissioner, and encourages those concerned their data may have been accessed to call NDIA on 1300 216 807.