Home - Communities and Justice - NSW Government Logo
Communities and Justice

Public Notification Register

Section 59P of the Privacy and Personal Information Protection Act 1998 (NSW) ('PPIP Act') requires DCJ to maintain a Public Notification Register ('Register').

This Register includes details about data breaches where a person affected by the breach is likely to suffer serious harm as a result of the breach ('eligible data breach') and it is not reasonably practicable to notify them individually.

Public Notification Register

Click the relevant section(s) below to read about DCJ's publicly notified eligible data breach(es).

Riverina Medical and Dental Aboriginal Corporation ('RivMed') Data Breach

Date of eligible data breach

October 2024

Type and description of the breach

Cyber incident affecting DCJ’s contracted service provider – Riverina Medical and Dental Aboriginal Corporation ('RivMed').

How the breach occurred

Phishing incident led to a breach of RivMed’s IT systems.

Other affected agencies (if applicable)

Department of Communities and Justice ('DCJ')

Personal information subject of the breach

The Family Preservation and Out of Home Care files of DCJ clients who received services from RivMed.

Time the information was available as a consequence of disclosure, access, or loss

Ongoing.

Information has not been published online.

Risk mitigation activities and or planned action to control harm

DCJ and RivMed acted immediately to contain and investigate the incident, including:

  • steps taken to ensure the data is not made publicly available.
  • continued monitoring of the web and dark web.
  • reporting the incident to NSW Police for investigation.
  • reporting the incident to the NSW Privacy Commissioner.

Recommended action(s) for affected individuals

View our fact sheet for information on how you can:

  • confirm if your information was affected.
  • take steps to protect your information.
  • if needed, access various support services.
  • if you are affected, make a complaint or seek a review.

Date notification published

12 January 2026

Information alert

No information will be displayed on this Register if there are no current notifications.

How long will information be published on the Register?

Notifications on this Register must be published for at least 12 months after the date the notification is published.

Who can I contact about a data breach on the Register?

Contact databreach@dcj.nsw.gov.au for further information about an eligible data breach published on the Register.

Making a privacy complaint

A person affected by an eligible data breach may lodge a privacy complaint and or lodge an application for internal review under the PPIP Act.

Visit the DCJ Privacy Management Plan for information about how to make a complaint or apply for an internal review.

Last updated: