Most sensitive and personal data breach in Australia’s history?
cosmetic institute website breach

Most sensitive and personal data breach in Australia’s history?

Sign-up to a data breach claim today - use our quick and easy form to begin your claim for thousands of pounds in compensation.

Start Your Claim
Your privacy is extremely important to us. Information on how we handle your data is in our Privacy Policy

solicitors regulation authority

In what is being described as “one of the worst data breaches” in Australian history, naked photos and medical records of hundreds of women have been published online.

The Cosmetic Institute in Bondi was hit by the breach where sensitive data of hundreds of patients who undertook cosmetic surgery at the clinic was accessible outside the clinic. The leaked data is thought to include a wealth of very personal data about the affected victims, so this is a very serious breach indeed.

The breached data is thought to include The Cosmetic Institute’s patient registration form which can include personal data such as: name, email, skype name, telephone and mobile number, address, date of birth, height, weight, bra size, desired outcome/expectations, reasons for pursuing surgery, marital status, occupation, country of birth, medical history, medicare number, medicare reference number, private health fund, membership number, GP details, emergency contact name and relationship.

The leak also included photographs. This is obviously appalling as the patient registration form already details a great amount about a patient. It would be highly embarrassing, traumatic and also intrusive for this type of information to be published for public viewing.

How many patients were involved?

It’s believed that several teenagers are among the women who fell victim to the data breach as well. According to Australia’s Daily Telegraph, there are more than 500 female patients who are affected by the breach that dates back to 2014.


The victims’ legal representative, George Newhouse at Centennial Lawyers, said that it could have been viewed by “potentially millions of people” before the website was closed down. However, it was reported that the leak wasn’t closed down until The Saturday Telegraph raised concerns.

Mr Newhouse is looking to see whether there will be a class action lawsuit. In a statement, Mr Newhouse reiterates the seriousness of the breach:

“I’ve been involved in a number of data breaches but, according to reports, this is by far the worst because of the sensitive and intimate nature of the information being released. This data breach contains highly sensitive information and naked photos. I’ve never seen anything like it.”

Case study

Victim Jessica Clough contacted Mr Newhouse to consider all the legal options she has for taking action against the clinic. Ms Clough had a standard breast augmentation and was mortified to find that a pre-surgical form that she submitted online had been in the public radar of the website without her consent.

She said she felt “violated” and “sick to the stomach” as she noted that surgery of this nature was a very personal decision of hers. Ms Clough was also one of many women who submitted before and after photos of her bare breasts. It’s irrelevant whether the women were identifiable or not; their photos and personal details were splashed across the internet without prior consent from the individuals.

The clinic’s statement

The Cosmetic Institute general manager Andrew Gill declined to comment after the breach, but the clinic released a statement stating it was “deeply concerned to learn of the hacking of confidential data and we are very apologetic to those who have been affected. On notification the vulnerability was fixed immediately and we now have an independent security expert auditing the process.”

It’s thought the breach was caused by an IT error which allowed public access. The clinic have tried to reassure patients by confirming that the “patient database including pre and post-op photos was not accessed.”

Privacy commissioner’s call to report the breach

The NSW Government Health spokesman said that the clinic is responsible for managing and keeping clients’ records safe. The NSW Information and Privacy Commission has urged all women affected to call to report the breach as there’s a clear breach under the Privacy Act 1988.

Start Your Claim

You can call our claims team free from a landline or mobile on 0800 634 7575 or click on the link below to create a call back with one of our expert Data Claims team.Information on how we handle your data is available in our Privacy Policy.

We offer genuine No Win, No Fee agreements for our clients. Why we do this is simple:

Leading Data Breach Lawyers
Our experience speaks for itself.
We will fight for your right to compensation.
Access to Justice
As a victim of a data breach or hack, you deserve your chance to get access to justice.
Risks Assessment
We carefully risk assess your case and take it on if we think we have a good chance of winning the claim.

Request A Callback From Our Team

Fill out our quick call back form below and we'll contact you when you're ready to talk to us.

Your privacy is extremely important to us. Information on how we handle your data is in our Privacy Policy

solicitors regulation authority

Contact is © of Your Lawyers Limited - we are 'Authorised and Regulated by the Solicitors Regulation Authority (SRA number 508768)'
arrow-up icon