Nearly 600 Medical Staff Affected by Major Data Exposure
The New South Wales (NSW) government has come under scrutiny after accidentally leaking confidential records of almost 600 medical staff, including 67 senior doctors based in Sydney. The sensitive documents, uploaded without proper security controls, were accessible on the websites of the South Eastern Sydney and Illawarra Shoalhaven local health districts, both of which use a shared system.
Doctors expressed outrage at the breach, describing the handling of their information as “reckless.” Many now fear being targeted for identity theft or professional impersonation.
Details Of the Accidental Disclosure
On August 21, the South Eastern Sydney district confirmed the incident in a letter to affected clinicians. Kate Hackett, Acting Chief Executive of the district, stated that information which should have been password-protected was “found to be publicly accessible via the district’s website.”
According to Hackett’s letter and an attached FAQ document, the exposed material was tied to the credentialing process for senior medical officers presented to the district’s Medical and Dental Appointments Advisory Committee between July 2020 and August 2025.
NSW Health clarified that the breach was not the result of a targeted cyberattack. Instead, the “unauthorised disclosure was due to a configuration problem with the website platform.”
Sensitive Information Included In the Breach
The breach exposed a large volume of highly detailed personal and professional documentation. A doctor who requested anonymity described the dataset as “extremely broad and detailed,” containing:
- Passports, driver’s licences, Medicare cards, and birth certificates
- Certificates, logbooks, and letters of reference
- Records of medical qualifications and work history
- Registrations with the Australian Health Practitioner Regulation Agency (Ahpra)
- Registrations with medical colleges and specialist boards
This extensive dataset represents a complete profile of affected doctors’ identities and professional careers, creating significant risk of exploitation.
How the Data Could be Misused
Doctors warned that the leaked documentation forms a “very powerful dataset” that could be weaponized by malicious actors. With multiple tiers of identification, a bad-faith actor could impersonate a registered doctor convincingly enough to bypass identity checks.
Potential misuse scenarios include:
- Fraudulently applying for positions within the health system
- Illegally purchasing controlled substances such as fentanyl
- Impersonating doctors in expert opinions or advertisements
- Exploiting identities for online consultations or through AI-generated impersonations
The dataset’s depth and breadth could allow impostors to present multiple “proof” documents if questioned, strengthening fraudulent activity.
Response from NSW Health
A NSW Health spokesperson acknowledged the breach, saying:
“The privacy of our patients and our staff is taken very seriously and we sincerely apologise to the impacted staff in both districts.”
The spokesperson confirmed that all exposed documents had been removed and that a “full investigation is under way, including forensic analysis.” Privacy impact assessments have been completed, and affected clinicians have been directly contacted.
NSW Health also engaged IDCare, Australia’s identity and cyber support service, to provide free advice and assistance to impacted staff. Importantly, officials emphasized that the exposed documents did not include patient records or identifiers.
Compensation and Support for Affected Doctors
The South Eastern Sydney local health district committed to reimbursing costs associated with renewing critical identity documents, including passports, drivers’ licences, and birth certificates.
The FAQ document provided to doctors also outlined steps being taken to strengthen systems and ensure such a breach does not occur again.
Reaction from Medical Associations and Unions
The NSW branch of the Australian Medical Association (AMA) called the incident “a concerning breach,” but commended the districts for proactively contacting every affected doctor and providing necessary support services.
However, stronger criticism came from the Australian Salaried Medical Officers Federation (ASMOF). Its NSW president, Dr. Nicholas Spooner, said:
“It is deeply concerning that the private and highly sensitive data of doctors has been handled so recklessly by NSW Health, leaving them exposed to identity theft and fraud.”
Spooner added:
“Doctors should not have to fear that the very system they serve cannot even guarantee the security of their personal information. This breach highlights a disturbing double standard. While NSW Health is quick to try to silence doctors who attempt to speak out about unsafe staffing levels and patient risks on social media, it cannot put in place even the most basic protections to safeguard their personal data.”
This breach underscores the urgent cybersecurity challenges facing healthcare organizations, where vast amounts of sensitive information are processed daily. Healthcare workers now face the same risks typically associated with consumer data breaches—identity theft, fraud, and professional impersonation—but with added dangers tied to their ability to prescribe medication and provide medical services.
