An Australian cosmetic surgery chain is being investigated by the NSW Privacy Commissioner and could face a compensation payout after confidential information, including before-and-after photos of breast enhancements and other surgeries, was placed online without essential security protections.
The data breach by The Cosmetic Institute, which runs clinics in Sydney, Melbourne and the Gold Coast, saw names, addresses, Medicare numbers, medical histories and photos published online, according to The Saturday Telegraph.
The private details of more than 500 women were uploaded to an index of the clinic’s website that could be accessed by the public until Friday, when the cosmetic chain was contacted by the media.
Dating back to 2014, the data included bra sizes, weight and reasons for surgery, such as one victim’s desire to “regain shape and fullness after having two kids” through breast augmentation.
The Cosmetic Institute issued a statement saying it was “very apologetic” to victims of the “hacking”.
“On notification the vulnerability was fixed immediately and we now have an independent security expert auditing the process,” the statement read.
The healthcare provider claimed a digital agency was responsible for managing its website.
Centennial Lawyers is working with victims, one of whom told the News Corp publication she felt “violated”, on a possible class action.
The NSW Privacy Commissioner is investigating whether The Cosmetic Institute has broken the law.
"Private health service providers operating in NSW can be covered by both NSW and Commonwealth legislation. Both pieces of legislation require health information to held securely. This is a fundamental and very important aspect of the health privacy responsibilities of health service providers such as medical practitioners, and also of certain organisations that hold health information," NSW Privacy Commissioner Dr Elizabeth Coombs told Healthcare IT News Australia.
The commissioner urged those who fear their information may have been compromised to contact the offices of the NSW or federal privacy commissioners, and said those who have called in the wake of the weekend's revelations have been "devastated".
"One of the concerns raised by callers is the humiliation and embarrassment they feel, combined with not knowing who may have seen their naked images," Coombs said.