In what is being described as “one of the worst data breaches” in Australian history, naked photos and medical records of hundreds of women have been published online.
The Cosmetic Institute in Bondi was hit by the breach where sensitive data of hundreds of patients who undertook cosmetic surgery at the clinic was accessible outside the clinic. The leaked data is thought to include a wealth of very personal data about the affected victims, so this is a very serious breach indeed.
The breached data is thought to include The Cosmetic Institute’s patient registration form which can include personal data such as: name, email, skype name, telephone and mobile number, address, date of birth, height, weight, bra size, desired outcome/expectations, reasons for pursuing surgery, marital status, occupation, country of birth, medical history, medicare number, medicare reference number, private health fund, membership number, GP details, emergency contact name and relationship.
The leak also included photographs. This is obviously appalling as the patient registration form already details a great amount about a patient. It would be highly embarrassing, traumatic and also intrusive for this type of information to be published for public viewing.
How many patients were involved?
It’s believed that several teenagers are among the women who fell victim to the data breach as well. According to Australia’s Daily Telegraph, there are more than 500 female patients who are affected by the breach that dates back to 2014.
The victims’ legal representative, George Newhouse at Centennial Lawyers, said that it could have been viewed by “potentially millions of people” before the website was closed down. However, it was reported that the leak wasn’t closed down until The Saturday Telegraph raised concerns.
Mr Newhouse is looking to see whether there will be a class action lawsuit. In a statement, Mr Newhouse reiterates the seriousness of the breach:
“I’ve been involved in a number of data breaches but, according to reports, this is by far the worst because of the sensitive and intimate nature of the information being released. This data breach contains highly sensitive information and naked photos. I’ve never seen anything like it.”
Victim Jessica Clough contacted Mr Newhouse to consider all the legal options she has for taking action against the clinic. Ms Clough had a standard breast augmentation and was mortified to find that a pre-surgical form that she submitted online had been in the public radar of the website without her consent.
She said she felt “violated” and “sick to the stomach” as she noted that surgery of this nature was a very personal decision of hers. Ms Clough was also one of many women who submitted before and after photos of her bare breasts. It’s irrelevant whether the women were identifiable or not; their photos and personal details were splashed across the internet without prior consent from the individuals.
The clinic’s statement
The Cosmetic Institute general manager Andrew Gill declined to comment after the breach, but the clinic released a statement stating it was “deeply concerned to learn of the hacking of confidential data and we are very apologetic to those who have been affected. On notification the vulnerability was fixed immediately and we now have an independent security expert auditing the process.”
It’s thought the breach was caused by an IT error which allowed public access. The clinic have tried to reassure patients by confirming that the “patient database including pre and post-op photos was not accessed.”
Privacy commissioner’s call to report the breach
The NSW Government Health spokesman said that the clinic is responsible for managing and keeping clients’ records safe. The NSW Information and Privacy Commission has urged all women affected to call to report the breach as there’s a clear breach under the Privacy Act 1988.
IMPORTANT: advice on this page is intended to be up-to-date for the 'first published date'.
Request a call back from our team
Fill out our quick call back form below and we'll contact you when you're ready to talk to us.
All fields marked with an * are required.