This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

JewishCare

Summary

On 28 October 2024, JewishCare NSW, a healthcare provider serving the Australian Jewish community, discovered comprehensive data had been compromised and posted on the dark web. The breach affected clients, staff, volunteers, donors, and suppliers (current and former), exposing extensive sensitive information including Medicare cards, passports, driver licenses, bank accounts, credit cards, health records, court orders including domestic violence family orders, wills, incident reports, and next-of-kin data. JewishCare engaged cyber experts and worked with Australian Federal Police, NSW Police, ACSC, and OAIC. The organization stated there was no indication of a targeted attack on the Jewish community.

What Happened

JewishCare NSW provides aged care, disability support, home care, and community services to members of the Australian Jewish community. On 28 October 2024, the organization discovered it had suffered a cyber incident with data exfiltrated and published on the dark web.

The breadth of compromised data was extensive, varying by individual relationship with JewishCare:

Client data included dates of birth, contact information, bank accounts, credit card details and statements, identity documents (Medicare cards, passports, licenses), photos, next-of-kin and family information, wills, incident reports, court orders including domestic violence family orders, and comprehensive health and medical data.

Donor data included donor IDs, contact information, payment details, payment history, and communications with JewishCare that could contain personal experiences and health information about individuals and loved ones.

Staff and volunteer data included employment and volunteer records with associated personal information.

Impact on Individuals

The breach created severe risks across JewishCare's community:

  • Identity theft: Complete identity document sets enabled comprehensive fraud
  • Financial fraud: Bank accounts and credit card details exposed
  • Safety risks: Domestic violence court orders exposed could endanger victim-survivors
  • Health privacy: Medical records and health data compromised
  • Emotional harm: Exposure of sensitive family, health, and personal experiences

The publication of domestic violence protection orders on the dark web created particularly acute safety risks for individuals who had sought refuge from abusive relationships.

Organisational Response

JewishCare engaged cyber experts, reported to ACSC, AFP, NSW Police, National Office of Cyber Security, and OAIC. The organization emphasized the breach appeared not to be a targeted attack on the Jewish community specifically, though continued working with law enforcement on the investigation.

Verification Source: View original statement