Notification of a security compromise in terms of the Protection of Personal Information Act, 4 of 2013 (“POPIA”)

• On 28 July 2025 a file containing IRP 5 documentation of 2482 employees for the 2022-2023 tax period (1 March 2022 to 28 February 2023) was unintentionally shared with a previously employed employee (“recipient”) via email transmission to a personal account. The recipient reported the security incident on 30 July 2025. The recipient was asked to delete the file the same day and confirmed its deletion on 31 July 2025.

• Employee information:
  1. Name
  2. Surname
  3. Initials
  4. Income tax number
  5. Employee code
  6. Date of birth
  7. Identification number
  8. Business / home telephone number
• Employees residential address
• Employees postal address
• Employees pay period
• Bank account details
  1. Account holder
  2. Account number
  3. Bank name
  4. Branch name
  5. Branch code
  6. Account type
• Employees business address
• Income received
• Deductions / contributions
• Tax withheld and gross taxable income

• Possible consequences in the event the information has not been deleted as confirmed above, include the selling of personal information, identification theft, financial loss and fraud being committed using the compromised, if any, personal information.

We advise the following protective measures:

• If you suspect any theft of identification or fraud, please immediately notify TB HIV Care, the South African Police Service and the Information Regulator.
• Carefully monitor and review your bank statements and any monetary transactions for suspicious behaviour.
• Request a credit report from a credit bureau to identify unusual activity.
• Request a fraud alert for protective registration with SA credit bureaus using the following link:
  • https://www.safps.org.za/Home/OurServices_ApplyProtectiveRegistration
  • Consider a credit freeze.
  • Change passwords and answers to security questions to apps such as banking apps, email and mobile apps and remove any security questions that use the identification detail indicated in this notice.

TB HIV Care (THC) has taken the following measures:

• The recipient was requested to delete the file on 30 July 2025.
• The recipient confirmed that such file had been deleted from her account on 31 July 2025.
• THC has put in place more access controls, which means that fewer people have access to such information.
• An investigation into the compromise and its impact is underway.

THC intends on:

• Ensuring that the recipient has deleted the email by requesting the recipient to sign an affidavit confirming the above.
• Taking appropriate internal action.
• Providing training specific to the relevant department.
• Reviewing department specific standard operating procedures pertaining to personal information.
• Assessing and reviewing access controls in greater detail.

THC takes the security of personal information seriously and is implementing additional safeguards to strengthen our systems and reduce the risk of similar incidents in future. Our investigation is ongoing, and we remain committed to transparent communication as further relevant information becomes available.