Physio Inq Cyber Response

In 2022 an unknown third party or parties gained unauthorised access to Physio Inq’s IT systems which contained some information belonging to our clients.

We would like to assure all of our clients that this notification statement is only precautionary.

Below is an overview of what happened during the relevant period, how it may impact affected individuals and some steps they can take in response to protect their information.

What happened?

Physio Inq became aware that an unauthorised third party or parties had gained access to an area of Physio Inq’s IT systems (specifically a small number of email mailboxes) and may have viewed some personal information of clients. Since that time, we secured the affected systems and commenced an investigation.

We have worked closely with our IT team, as well as leading external IT and cyber-security experts to investigate. We have also applied additional cyber security measures since the discovery and notified the Office of the Australian Information Commissioner (OAIC).

Following this, our focus has been to identify those who may have been affected and to determine precisely what information of theirs may have been involved.

We have no reason to believe that any personal information of clients held by Physio Inq has been misused. However, we take our privacy obligations seriously, so we are notifying our clients out of an abundance of caution.

Consistent with our organisation’s values of openness and transparency, we are providing this update to ensure our clients are aware of what has occurred and can take any additional actions to further protect their information.

If any of our clients have any questions after reviewing this notification statement and the Questions and Answers section below, please contact Physio Inq at enquiries@physioinq.com.au or via (02) 9044 8100 between the hours of 9am – 5pm, Monday to Friday.

We sincerely apologise that this has happened and for any concern or inconvenience that this may cause our valued clients.

The Physio Inq Team

Steps you can take to protect yourself from potential data misuse
(Questions and Answers)

Q: What personal information was identified?

A: The following information of some of our clients may have been accessed:

  • Contact information;
  • Bank account information (account name, BSB and account number);
  • Health information;
  • Other identification numbers, including:
    • APHRA Registration Number;
    • Provider Number;
    • NDIS Number;
    • NDIA Number;
    • Practitioner ID;
    • Working With Children Check Number;
    • Registration Number; and
    • Migration Agent Registration Number.

Q: What precautionary steps can I take?

A: We recommend that anyone who may have provided Physio Inq with the above types of information should consider their individual circumstances and the following precautionary steps.

Contact information

Where a third party or parties may have accessed your contact information, it is important to:

  • Be aware of email, telephone and text-based scams. Do not share your personal information with anyone unless you are confident about who you are sharing it with;
  • When on a webpage asking for your login credentials, take note of the web address or URL ('Uniform Resource Locator'). The URL is located in the address bar of your web browser and typically starts with https://
  • If you are suspicious of the URL, do not provide your login details. Contact the entity through the usual channels to ensure you are logging into the correct web page. Please note that Physio Inq will never contact you to ask for your username or password;
  • Enable multi-factor authentication for your online accounts where possible, including your email, banking, and social media accounts;
  • Ensure you have up-to-date anti-virus software installed on any device you use to access your online accounts;
  • Follow the Australian Competition and Consumer Commission's Scamwatch guidance for protecting yourself from scams here: https://www.scamwatch.gov.au/get-help/protect-yourself-from-scams/ ; and
  • For more information, you can visit the OAIC’s tips for further guidance about protecting your identity: https://www.oaic.gov.au/privacy/your-privacy-rights/tips-to-protect-your-privacy/

Bank account information

Some bank account information (including account name, BSB and account number) of our clients may have been accessed.

You may wish to:

  • review your recent transaction history and bank statements for any suspicious activity;
  • contact your bank to report this event and request to have higher security on your account, such as adding voice recognition, a security question, a two-step authentication or a new pin; and
  • follow any guidance from your bank.

Health information

Some health information of our clients may have been.

For context, cyber-criminals typically seek to misuse information that can be easily manipulated for financial gain (such as credit cards and identity documents for identity theft). For this reason, health information by itself is generally not useful to a cyber-criminal.

However, we know that it will be concerning to learn that your health information may have been accessed in this manner. Should you experience any anxiety or distress in relation to this, please seek medical advice from your regular treating physician or GP. Free information is available here: https://www.beyondblue.org.au/the-facts/anxiety

If clients would like to know more about the types of health information of theirs that may have been accessed, please contact Physio Inq at enquiries@physioinq.com.au or via (02) 9044 8100 between the hours of 9am – 5pm, Monday to Friday.

Other identification number

Other types of identification information of our clients may have been accessed, including:

  • APHRA Registration Number;
  • Provider Number;
  • NDIS Number;
  • NDIA Number;
  • Practitioner ID;
  • Working With Children Check Number;
  • Registration Number; and
  • Migration Agent Registration Number.

Any unauthorised access to these types of identification does not affect their validity and they can still be used for their intended purpose.

We recommend you consider if you may have shared these types of identification with Physio Inc previously, and if so, contact the issuing authority to let them know that this identification number may have been accessed by an unauthorised third party or parties.

Q: I think I need a credit report or ban, where can I go to get one?

A: You can apply for an annual free credit report from one of the consumer Credit Reporting Agencies below.

You can also consider contacting the below credit reporting bodies to place a temporary ban on your credit report (if applicable). This means that credit reporting agencies will not be able to share your credit report with credit providers without your consent for 21 days (unless extended).

Name Website
Equifax https://www.equifax.com.au/personal/products/credit-and-identity-products
Illion https://www.creditcheck.illion.com.au/
Experian http://www.experian.com.au/consumer-reports

Q: Who can I contact for more information?

A: Additional general resources on identity and cyber security can be found here:


Physio Inq at enquiries@physioinq.com.au or via (02) 9044 8100 between the hours of 9am – 5pm, Monday to Friday.

Q: Why has it taken time to notify individuals?

A: We had to conduct a detailed review of the impacted files to confirm who and precisely what personal information may have been affected, this detailed process takes time. Having completed this very detailed review, we can now provide you advice on the steps that can be taken to protect your information going forward.