Last Update: 03/06/2022
In late May 2022, Mercy Community was advised by one of its technology vendors “CTARS” (a cloud-based client management system for out of home care services) that an unauthorised third party had gained access to CTARS’ systems, and that a sample of CTARS systems data had been posted on a ‘deep web’ forum.
The ‘deep web’ is a section of the internet hidden from search engines and not easily accessible by the general public.
Mercy Community uses CTARS for storing the information of some of the people we support, relevant to the health and community services we provide them. CTARS also supports Mercy Community in our compliance and service accreditation requirements.
We have been advised that CTARS has reported the incident to the Office of the Australian Information Commissioner (OAIC) and the Australian Cyber Security Centre (ACSC), and they have also engaged external cyber-security and forensic specialists to contain the event, implement additional security measures and investigate the incident.
What Mercy Community is doing in response
Consistent with our mission and values, we take the privacy and security of all personal information very seriously.
When we became aware of the CTARS incident, Mercy Community immediately assembled a dedicated internal team (supported by leading external advisors) to respond to the incident and conduct a detailed analysis of the information we store on CTARS. This analysis, which is ongoing, will enable us to notify any of the people we support or staff members whose information may have been affected by this incident and provide them with tailored advice on how to further protect their information.
We have been advised that this detailed analysis may take some time, however we are fully committed to keeping all stakeholders updated on our progress and will directly notify affected individuals once we have identified whose information has been affected, and the extent to which it has been affected.
Further general updates will be posted on this website as more facts become available.
Who to contact for more information
An independent national identity and cyber support community service (IDCARE) has been engaged to support you if you need assistance. If you are concerned about the potential misuse of your personal information, we have arranged free support from IDCARE.
If you are supported through one of Mercy Community’s services or you are a Mercy Community staff member, you can find out more about the CTARS cyber incident and the types of information of yours that may have been stored on CTARS, by contacting Mercy Community via:
Phone: (07) 2113 8932 (8.30am – 5pm AEST Monday to Friday)
We are committed to keeping the people and communities we serve fully informed as we work to resolve this issue as swiftly as possible, and sincerely apologise for the inconvenience and concern this incident may cause the people we support, their families and our staff.
Media enquiries should be directed to: