The New South Wales (NSW) Health inadvertently exposed confidential documents of nearly 600 medical staff, including 67 senior doctors, via a misconfigured website platform. The leaked data—part of the 'credentialing process' for current, former, and prospective senior medical officers (2020–2025)—included highly sensitive personal and professional records: passports, driver’s licences, Medicare cards, medical qualifications, work histories, logbooks, reference letters, and registrations with regulatory bodies (Ahpra, medical colleges). While no malicious use was confirmed, the breach posed severe risks of identity theft, fraud, and impersonation (e.g., applying for medical roles, purchasing drugs like fentanyl, or generating fake expert opinions). NSW Health acknowledged the 'unauthorised disclosure' stemmed from a website configuration error, not a cyberattack, and offered affected staff reimbursement for ID renewals and support via IDCare. The incident sparked outrage among doctors, with unions criticizing NSW Health’s 'reckless' data handling and 'double standards' in safeguarding staff privacy while enforcing strict social media policies on them.
TPRM report: https://www.rankiteo.com/company/nsw-health
"id": "nsw2364123091025",
"linkid": "nsw-health",
"type": "Breach",
"date": "6/2020",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'customers_affected': '67 senior doctors',
'industry': 'Healthcare',
'location': 'Sydney, New South Wales, Australia',
'name': 'South Eastern Sydney Local Health District',
'type': 'Government Health Agency'},
{'customers_affected': 'Over 500 medical staff',
'industry': 'Healthcare',
'location': 'Illawarra Shoalhaven, New South Wales, '
'Australia',
'name': 'Illawarra Shoalhaven Local Health District',
'type': 'Government Health Agency'},
{'industry': 'Healthcare',
'location': 'New South Wales, Australia',
'name': 'NSW Health',
'type': 'Government Health Department'}],
'customer_advisories': ['Direct communication with affected clinicians '
'offering support services (IDCare)',
'Reimbursement for identity document renewal costs',
'Guidance on monitoring for identity theft and fraud'],
'data_breach': {'data_encryption': 'Intended (documents were supposed to be '
'password-protected but were '
'misconfigured)',
'file_types_exposed': ['PDFs (passports, driver’s licences, '
'Medicare cards)',
'Certificates (proof of credentials)',
'Logbooks',
'Letters of reference',
'Registration documents (Ahpra, '
'medical colleges)'],
'number_of_records_exposed': 'Almost 600 (including 67 senior '
'doctors and over 500 medical '
'staff)',
'personally_identifiable_information': ['Full names',
'Passport details',
'Driver’s licence '
'details',
'Medicare card '
'numbers',
'Work history',
'Professional '
'references',
'Medical registration '
'numbers'],
'sensitivity_of_data': 'Extremely high (comprehensive '
'personal and professional records '
'enabling identity theft and fraud)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Professional credentials',
'Medical registration details',
'Employment application '
'documents']},
'date_detected': '2024-08-21',
'date_publicly_disclosed': '2024-08-21',
'description': 'The New South Wales government accidentally leaked '
'confidential documents belonging to almost 600 medical staff, '
'including 67 senior doctors in Sydney, who had applied for '
'jobs with the health department. The documents were '
'mistakenly made publicly accessible via the South Eastern '
'Sydney and Illawarra Shoalhaven local health districts’ '
'websites due to a configuration error. The leaked data '
'included highly sensitive personal and professional '
'documents, raising concerns about identity theft and fraud.',
'impact': {'brand_reputation_impact': ['Erosion of trust among medical staff',
'Criticism from Australian Medical '
'Association (AMA) and Australian '
'Salaried Medical Officers Federation '
'(ASMOF)'],
'customer_complaints': ['Doctors expressed outrage over reckless '
'handling of sensitive data',
'Fears of identity theft and misuse of '
'medical qualifications'],
'data_compromised': ['personal identity documents (passports, '
'driver’s licences, Medicare cards)',
'professional documents (certificates, proof '
'of credentials, work history, logbooks, '
'letters of reference)',
'registrations to medical regulator (Ahpra)',
'registrations to medical colleges',
'application materials for senior medical '
'officer roles'],
'identity_theft_risk': ['High (comprehensive personal and '
'professional data exposed)',
'Risk of impersonation for medical roles, '
'drug purchases, or fraudulent expert '
'opinions)'],
'systems_affected': ['South Eastern Sydney local health district '
'website',
'Illawarra Shoalhaven local health district '
'website']},
'investigation_status': 'Ongoing (full investigation and forensic analysis in '
'progress)',
'lessons_learned': ['Critical importance of proper website configuration for '
'sensitive document storage',
'Need for robust access controls and regular audits of '
'public-facing systems',
'Significance of timely communication and support for '
'affected individuals in data breaches'],
'post_incident_analysis': {'corrective_actions': ['Removal of exposed '
'documents',
'Engagement of IDCare for '
'identity support',
'Privacy impact assessments',
'Forensic analysis to '
'prevent recurrence'],
'root_causes': ['Website misconfiguration '
'(password-protected documents '
'made publicly accessible via '
'search)']},
'recommendations': ['Implement stricter access controls for sensitive '
'documents on government websites',
'Conduct regular security audits and penetration testing '
'for public-facing platforms',
'Enhance staff training on data protection and incident '
'response protocols',
'Establish clearer protocols for handling and storing '
'highly sensitive personal and professional data'],
'references': [{'date_accessed': '2024-08-22',
'source': 'The Guardian Australia',
'url': 'https://www.theguardian.com/australia-news/2024/aug/22/nsw-health-data-breach-doctors-medical-staff-confidential-documents-leak'}],
'response': {'communication_strategy': ['Letter from Kate Hackett (acting '
'CEO, South Eastern Sydney district) '
'to affected doctors',
'FAQ document provided to impacted '
'staff',
'Public apology via NSW Health '
'spokesperson'],
'containment_measures': ['All leaked documents were removed from '
'the websites'],
'incident_response_plan_activated': True,
'recovery_measures': ['Full investigation underway, including '
'forensic analysis'],
'remediation_measures': ['Privacy impact assessments conducted',
'Direct communication with affected '
'clinicians',
'Free identity support services '
'(IDCare) offered to staff',
'Reimbursement for renewing '
'identification documents (passport, '
'driver’s licence, birth certificate)'],
'third_party_assistance': ['IDCare (Australia’s identity and '
'cyber support service)']},
'stakeholder_advisories': ['Letter from Kate Hackett (acting CEO, South '
'Eastern Sydney Local Health District) to affected '
'doctors',
'FAQ document distributed to impacted staff',
'Statements from NSW Health spokesperson and '
'Australian Medical Association (AMA)'],
'title': 'NSW Health Unauthorized Disclosure of Medical Staff Confidential '
'Documents',
'type': ['data breach', 'unauthorized disclosure', 'misconfiguration'],
'vulnerability_exploited': 'Website platform configuration error '
'(password-protected documents made publicly '
'accessible via search)'}