The agency in charge of the rollout is investigating a “small number” of providers who exploited the security gap and it will set about recovering stolen or misappropriated tens of thousands of dollars.

The design fault in the NDIS interface allowed any participant or registered provider to guess a nine-digit plan number in the search function and bring up random support packages from participants. Companies have then used this function to essentially raise their own invoices in these windows and be paid immediately.

An investigation by The Australian was under way when the National Disability Insurance Agency issued an update to the payments portal, which it ­described as an “enhancement” in a note to users yesterday.

The changes, which took effect last night, require three pieces of sensitive information to conduct a search and bring up a plan: the NDIS number and the participant’s last name and date of birth.

“The NDIA apologises for any inconvenience the temporary unavailability of the myplace provider portal may cause,” the memo said. “This enhancement will assist you to more effectively find and link with the participant you are providing services to.”

The way the system is designed allows disabled people to outsource payment and service bookings to their approved providers, but few knew about the security liability that gave fraudulent ­operators unfettered access once they had accessed the portal.

The Australian understands the site, which also allowed single searches by a participant’s first and last name, led to providers mistakenly taking money from clients who had the same name because it required no other verification.

“It’s a crazy breach of privacy,” one NDIS participant said on an online forum where users first ­noticed the problem.

Another said: “Unbelievable — I just logged in to the provider portal and keyed a random number in and a plan came up.”

The rollout of the NDIS, the largest single social reform since Medicare, has been continuously sabotaged by a bolt-on IT system provided by the Department of Human Services after the incoming Coalition government baulked at the cost of building a new, fit-for-purpose network.

In July 2016, just as the scheme entered an ambitious transition to full rollout, the portal failed and some disability service providers could not be paid for months and support for disabled people was disrupted. The IT systems failed again earlier this year when thousands of remote-access staff and contractors who drew up participant support plans lost access to the software that allowed them to work away from head office. It was resolved only after the problem was raised at Senate estimates.

The NDIA said some providers were “under investigation by the NDIS fraud taskforce”.

“As a result of these ongoing investigations, a number of providers have been blocked from accessing payments while sus­picious claims are being investigated, to ensure participants are protected,” a spokeswoman said. “The NDIA has also commenced contacting a small number of impacted participants. The NDIA will ensure participants funds are reinstated, where appropriate.

“The NDIA and commonwealth government will not tolerate the misuse of funds intended to support people with disability and takes all reports of suspected fraud seriously. Fraud is a crime. People who commit criminal acts run the risk of being subject to criminal prosecution.”

More related stories

Politics

Vaccinations, aged care, schools and the economy: what the Covid report says

‘Many of the measures taken during Covid-19 are unlikely to be accepted by the population again.’ | Read the key points from the report.

Read more

Mental Health

Top psychiatrist blows whistle on specialists’ ‘profiteering’

Medical ‘profiteering’ is inflating health costs, an eminent psychiatrist has warned, as new data from The Australian’s Needs of The Nation survey reveals Australians are struggling to pay soaring medical bills.

Read more