Public Notification Register

Date of eligible data breach

October 2024

Type and description of the breach

Cyber incident affecting DCJ’s contracted service provider, Riverina Medical and Dental Aboriginal Corporation ('RivMed').

How the breach occurred

Phishing incident led to a breach of RivMed’s IT systems.

Other affected agencies (if applicable)

N/A

Personal information subject of the breach

The Family Preservation and Out of Home Care files of DCJ clients who received services from RivMed.

Time the information was available as a consequence of disclosure, access, or loss

Ongoing.

Information has not been published online.

Risk mitigation activities and or planned action to control harm

DCJ and RivMed acted immediately to contain and investigate the incident, including:

• steps taken to ensure the data is not made publicly available.
• continued monitoring of the web and dark web.
• reporting the incident to NSW Police for investigation.
• reporting the incident to the NSW Privacy Commissioner.

Recommended action(s) for affected individuals

View our fact sheet for information on how you can:

• confirm if your information was affected.
• take steps to protect your information.
• if needed, access various support services.
• if you are affected, make a complaint or seek a review.

Date notification published

12 January 2026

Date of eligible data breach

October 2025

Type and description of the breach

Cyber incident affecting DCJ’s contracted service provider, Westhaven Ltd.

How the breach occurred

Phishing incident led to a breach of Westhaven’s IT systems (unauthorised access).

Other affected agencies (if applicable)

N/A

Personal information subject of the breach

Personal information of DCJ clients receiving services from Westhaven, including names, contact details, addresses, guardianship information, Behaviour Support Plans, health information, and service details.

Time the information was available as a consequence of disclosure, access, or loss

Approximately 30 days.

Risk mitigation activities and or planned action to control harm

DCJ and Westhaven acted immediately to contain and investigate the incident, including:

• Westhaven reset and secured the compromised account and devices.
• Westhaven reported the incident to the NSW Police Force, resulting in several devices being seized.

Recommended action(s) for affected individuals

Individuals can:

• use long, complex passwords, especially for online services such as banking, email, and social media. You should change and strengthen your passwords if you currently use the same password for multiple accounts and services.
• implement multi-factor authentication on digital services where available. For example, where you receive an additional code sent to your phone by SMS before you can log into your account.
• don’t open messages or click links if you don’t know the sender or if you’re not expecting the message (phishing emails).
• if you believe that your personal information has been misused (for example, as part of a scam, identity theft, or fraud), we recommend that you contact the NSW Police Force.

Date notification published

4 March 2026