A major data privacy lapse has rattled the New South Wales (NSW) health system after confidential records of nearly 600 medical staff — including 67 senior doctors — were accidentally made publicly accessible online.
The exposed dataset included passports, driver’s licenses, Medicare cards, and professional medical credentials, creating what experts warn could be a “powerful dataset” for identity theft, fraud, and even impersonation of licensed practitioners.
Sensitive Medical Credentials and Identity Documents Were Leaked
According to NSW Health, the incident was traced to a configuration error affecting the shared website platform used by the South Eastern Sydney and Illawarra Shoalhaven Local Health Districts. The issue was discovered on 21 August when information intended to be password-protected was found to be openly available via search.
The exposed information dated back to July 2020 and included documentation used in the credentialing process of current, former, and prospective senior medical officers. These documents were originally prepared for the Medical and Dental Appointments Advisory Committee.
A letter from Kate Hackett, Acting Chief Executive of the South Eastern Sydney district, confirmed the nature of the breach and notified affected doctors.
Scope of the Exposure and Potential Risks
The breach impacted 67 senior doctors in the South Eastern Sydney district and over 500 medical staff in the Illawarra Shoalhaven district. The exposed documents included:
- Personal identity documents (passports, driver’s licenses, Medicare cards)
- Professional records such as work history, certificates, logbooks, letters of reference, and registrations with Ahpra and medical colleges
One doctor, who spoke anonymously, said the collection of data was extremely detailed and could be misused to impersonate a registered medical professional.
“This is a very powerful dataset. Using this documentation, someone could apply for a role in the health system or even purchase controlled substances like fentanyl,” the doctor said.
The doctor further warned that because the dataset contained multiple layers of identity verification, fraudsters could easily pass secondary or tertiary identity checks.
No Evidence of Malicious Use, But Serious Concerns Remain
NSW Health stated there is no indication that the leaked documents have been maliciously used to date. However, the risk of identity theft, credential fraud, and illegal medical activity remains high.
The districts have taken several steps to contain the incident:
- Removal of all exposed documents from public access
- Launch of a full forensic investigation
- Direct notification to affected clinicians
- Offering reimbursement for the cost of renewing identity documents
- Engagement of IDCare, Australia’s identity and cyber support service, to provide guidance to impacted staff
Officials emphasized that patient records and identifiers were not part of the leak.
Doctors’ Unions and Medical Associations Condemn the Breach
The NSW branch of the Australian Medical Association (AMA) called the breach “a concerning incident” and commended health districts for quickly contacting affected doctors and offering support.
Dr. Nicholas Spooner, NSW President of the Australian Salaried Medical Officers Federation, sharply criticized the mishandling of sensitive data:
“It is deeply concerning that the private and highly sensitive data of doctors has been handled so recklessly by NSW Health, leaving them exposed to identity theft and fraud. Doctors should not have to fear that the very system they serve cannot even guarantee the security of their personal information.”
Spooner further argued that this breach highlights a double standard, noting that NSW Health enforces strict rules on doctors speaking publicly about patient safety concerns but has failed to protect its workforce from basic data privacy risks.
Growing Cybersecurity Pressure on Health Systems
This breach underscores the rising cybersecurity and data privacy challenges in the healthcare sector. Health systems are increasingly targeted by cybercriminals for their sensitive data, and misconfigurations like this highlight the risk of insider-driven or accidental data exposures.
Enterprise security leaders are likely to view this as a reminder to audit web configurations, access controls, and credentialing workflows to ensure sensitive documents are not publicly exposed.
