Nearly 600 medical staff have had their data exposed after the New South Wales health department mistakenly left confidential documents publicly available on the internet.
The personal details of current and former senior medical officers and other staff were reportedly left accessible on the South Eastern Sydney and Illawarra Shoalhaven local health districts’ websites thanks to an undisclosed misconfiguration.
A NSW Health spokesperson told Information Age several confidential documents were attainable “via search”, impacting over 60 doctors in the South Eastern Sydney district and more than 500 medical staff in Illawarra Shoalhaven.
As first reported by The Guardian, a doctor impacted by the leak said the exposed data included Medicare cards, passports, driver’s licenses, and a slew of professional documents, including work histories, logbooks, letters of reference, and certificates.
Prospective medical officers were also caught by the leak, with registrations to medical colleges and the Australian Health Practitioner Regulation Agency (AHPRA) also made accessible on the district websites.
“The documents do not contain patient records or other patient identifiers. There is no known malicious use of the data,” the NSW Health spokesperson said.
“NSW Health takes the privacy of our patients and our staff very seriously and we sincerely apologise to the impacted staff in both districts.
“All documents were removed, and a full investigation is underway including forensic analysis.”
Sorry, we forgot to use a password
Kate Hacket, acting chief executive of the South Eastern Sydney local health district, wrote a letter to inform doctors who had been affected by the breach.
This letter, seen by The Guardian, reportedly revealed a range of confidential data was left “publicly accessible” via the district’s website, despite the fact it was meant to be password-protected.
Hacket’s letter allegedly explained the leak was identified on 21 August, and included personal details and documentation related to a “credentialing process” in the district’s Medical and Dental Appointments Advisory Committee between July 2020 and August 2025.
An attached FAQ document explained the “unauthorised disclosure” was due to a “configuration problem with the website platform” rather than a targeted cyberattack.
Although there was no known misuse of the exposed documents to date, there remained a “risk of identity theft or fraud”.
The district will reimburse the cost of renewing exposed identification documents including passports, drivers licences, and birth certificates.
Almost 600 medical workers had their personal data exposed by NSW Health websites. Image: Shutterstock
A ‘very powerful dataset’
One of the affected doctors told The Guardian the exposed information was “extremely broad” and “detailed”.
They reportedly warned the documents formed a “very powerful dataset” which could be used to impersonate registered medical professionals and apply for jobs in the health system.
The dataset could be particularly handy for someone looking to purchase drugs under a doctor’s identity, they warned, while the availability of second, third, and fourth-tier documents could also enable fraudsters to falsely verify their identity.
Jamieson O’Reilly, founder of Australian information security company Dvuln, explained many NSW government websites, including the South Eastern Sydney local health district site, were built on Drupal – an open-source content management system.
O’Reilly said although the software was flexible, it was also “complex” and “demands careful hardening”.
“Proper practice is to segregate public content from private records entirely, enforce restricted file storage, and apply strong access controls,” he said.
O’Reilly also pointed out a framework on the district’s website which outlined that published PDF documents should “not have inbuilt security applied to prevent content copying unless there is a strong and valid business need”.
“While these directives are intended to improve accessibility, they also highlight the tension between usability and security,” he said.
“A health department holding some of the most sensitive personal data in the country is expected to have been running automated discovery, assurance testing, and configuration reviews at a level equal to financial institutions.
“The fact that the documents were indexable via search shows that those controls were not applied rigorously enough and if they were believed to be, then it’s probably time to consider reviewing them.”
NSW Health did not comment when asked if the reported leak was related to Drupal.
