Brief description
On September 10, 2025, The Guardian newspaper reported about the leak of confidential documents of almost 600 medical officers from New South Wales and Sydney, Australia who applied for jobs in the New South Wales Health Department. Personal details and professional documents of the affected medical officers became publicly accessible or “searchable” in the website of South Eastern Sydney and Illawarra Shoalhaven Local Health Districts, and the data leak include their passports, driver’s licenses and Medicare cards, certificates with proof of credentials, work history, logbooks, letters of reference, registrations to the medical regulator Ahpra and registrations to medical colleges.

Below are the links of two articles reporting the incident:
https://www.theguardian.com/australia-news/2025/sep/10/nsw-government-leaked-confidential-medical-documents-doctors-outraged-personal-professional-data-online
https://ia.acs.org.au/article/2025/nsw-health-leaks-medical-staffs-data.html

Impact and Consequences of the Data Breach
Since the data breach is fairly recent, the impact of the data breach to the affected medical officers were not yet fully determined. According to the article, some doctors were enraged because their sensitive data were handled recklessly and fear that they could be at risk of identity theft. This is very likely since their personal and professional documents were leaked and cybercriminals might use it to commit fraud. They might impersonate a medical officer in order to purchase drugs, provide an expert opinion or an advertisement. Since the leak also include the medical officers’ professional documents such as their certificates with proof of credentials and letters of reference, these could also be used by cybercriminal pretending to be a registered medical officer applying for a role in the health system.

How the data breach occur
A full investigation of the data breach, including forensic analysis, is still underway according to the a spokesperson from New South Wales Health Department. In a letter sent by the acting chief executive of the South Eastern local health district to the affected medical officers, she said that data breach was due to configuration problem with the website platform and not a targeted cyberattack.

Main cause of the data breach
There is still no official report on the cause of the data breach. However, based on news articles that I have read about the incident, the cause of the breach might be due to database misconfiguration and human error. The database containing the data of the medical officers might not be correctly configured by the IT personnel to require authentication, thereby allowing the public to view the data on the website publicly.

How to prevent this data breach
In order to prevent future data breach, the following should be done:
1. Apply strong database access controls. All confidential Information should be accessible only on a need-to-know basis
2. Store only the relevant information in the database
3. Have confidentiality policies and procedures in place
4. Establish security mechanisms to ensure the enforcement of confidentiality policies (authentication, data integrity, and availability)
5. Use real-time monitoring of network and user activity to monitor for unauthorized access, track network activity, and identify security risks before they can be exploited
6. Conduct routine assessment of security risks in the IT infrastructure