Data breach at Comestic Institute attracts the attention of the Privacy Commissioner

June 6, 2017 |

Personal information relating to medical matters is highly sensitive.  The Cosmestic Institute, based in Bondi,  specialised in providing cosmetic surgery, holds a particularly subset of that type of information; before and after photographs, photographs of a highly intimate nature and details which are almost invariably kept confidential

Naked photos and medical records of hundreds of women were published on line at least as late last Saturday.  Possibly earlier.  It appears that the publication of this highly sensitive information included patient names, Medicare numbers and naked images of 500 people.  The breach involved the data being loaded onto publicly accessible sections of the Institute’s web site.  This has attracted very negative publicity, as it should.

Curiously, health facilities including clinics, hospitals and General Practioners practices are prone to poor data storage practices as well as being a prized target for hackers and ransomware attacks.  In April 2014 a cosmetic surgery clinic, the Harley Medical Group, was hacked with details of 500,000 stolen and used in an attempted blackmail attempt.  Earlier this year in the United States the Susan M Hughes Centre, which specialises in cosmetic surgery, was the subject of a ransomware attack.  The attack infected files which contained patient names, telephone numbers and other patient details.  Details of 11,400 patients. Fortunately the Centre had backed up its files.   It was still required to advise its patients of the data breach.  In April 2017 a Lithuanian plastic surgery clinic was hacked and patient records were stolen.  Photographs of patients were offered for sale. In Austin Texas a health clinic, Victory Medical Centre, had a data breach where details of 2,000 patients being leaked online.  While the breach was discovered on 5 April the data could have been accessible as early as June 2013.

In light of this well known problem in the health industry it is surprising that the Cosmetic Institute suffered such a preventable data breach.

Today the Privacy Commissioner announced that he has been contacted by the Cosmetic Institute and that he is investigating.

The notice provides:

My office has contacted The Cosmetic Institute about this reported data breach.

The Privacy Act 1988 recognises the sensitive nature of health information and provides extra protections around it in recognition of the significant impact any misuse of that information can have on an individual.

If we are notified of a potential privacy breach my office makes contact with the organisation to provide advice to ensure in the first instance that they are minimising and mitigating the data breach. When there is a real risk of serious harm organisations are encouraged to notify affected individuals.

When investigating a data breach my office will evaluate the systems and processes that were in place to protect personal information and how the organisation managed the data breach, this includes if they provided appropriate notification to people affected by the breach.

In resolving an investigation, I have a range of enforcement powers including seeking enforceable undertakings, making a determination and the power to seek a civil penalty for serious or repeated breaches of privacy. In resolving complaints from individuals I can also require an organisation to make an apology, change their practises or systems, or pay compensation.


Leave a Reply