NOTICE OF A DATA MATCHING PROGRAM – SERVICES AUSTRALIA AND CRACE MEDICAL CENTRE CUSTOMERS AFFECTED BY DECEMBER 2023 DATA BREACH

This notice refers to the commencement of a data matching program by Services Australia (the Agency) using information provided by Crace Medical Centre about Crace Medical Centre customers affected by the December 2023 data breach (Data Breach). The initial analysis provided by Crace Medical Centre indicates that there may be approximately 21,000 impacted customers.

Where an Agency customer’s Medicare number or Centrelink Reference Number (CRN) was disclosed as part of the Data Breach, the following data, to the extent captured by and available to Crace Medical Centre, has been provided by Crace Medical Centre to the Agency:

• card number, expiry date and customer name appearing on Medicare or Centrelink concession card
• customer’s date of birth
• customer’s address.

The Agency will compare the data provided by Crace Medical Centre to Medicare and Centrelink customer records held by the Agency. This will assist the Agency to identify affected customers and apply proactive security measures to affected customer records.

A protocol document describing this program has been developed in consultation with the Office of the Australian Information Commissioner (OAIC). Copies of the document are available from:

https://www.servicesaustralia.gov.au/data-matching-activities-for-third-party-organisation-data-breaches?context=1

The Agency adheres to the OAIC Guidelines on data matching in Australian Government administration which includes standards for data matching to protect the privacy of individuals. The Agency’s privacy policy is available at:

https://www.servicesaustralia.gov.au/organisations/about-us/publications-and-resources/privacy-policy