The New South Wales government has accidentally leaked confidential documents belonging to almost 600 medical staff, including 67 senior doctors in Sydney, who had applied for jobs with the health department.
Doctors are enraged that their sensitive data was handled “recklessly” and fear they could now be at risk of identity theft. Medical qualifications could be misused by bad-faith actors to impersonate doctors or buy drugs, they said.
The confidential documents were mistakenly made accessible on the South Eastern Sydney and Illawarra Shoalhaven local health districts’ websites, which use a shared system, “via search”, a NSW Health spokesperson said.
Sign up: AU Breaking News email
At least 67 senior doctors were affected in the South Eastern Sydney district, while more than 500 medical staff were affected in Illawarra Shoalhaven.
A letter from Kate Hackett, the acting chief executive of the South Eastern Sydney district, informed doctors that their information was part of the data breach.
In the letter, seen by Guardian Australia, Hackett writes that on 21 August the district identified that information supposed to be password-protected was “found to be publicly accessible via the district’s website”.
The information included personal details and documentation involved in the “credentialing process” of current, former and prospective senior medical officers presented to the district’s Medical and Dental Appointments Advisory Committee between July 2020 and August 2025, Hackett’s letter and an attached FAQ document explained.
The document stated that the incident was not a targeted cyber-attack but rather the “unauthorised disclosure was due to a configuration problem with the website platform”.
A doctor whose personal information was part of the breach told Guardian Australia the documentation contained “extremely broad and detailed information”.
It included personal identity documents such as passports, driver’s licences and Medicare cards. Professional documents were also leaked, including certificates with proof of credentials, work history, logbooks, letters of reference, registrations to the medical regulator Ahpra and registrations to medical colleges, the doctor said.
The FAQ document stated there was no known malicious use of the documents to date, but “there is a risk of identity theft or fraud”.”
These documents, combined, were a “very powerful dataset” that could be used to impersonate a registered medical professional, the doctor who spoke on the condition of anonymity told Guardian Australia.
Using the documentation, someone could apply for a role in the health system, or they could also use a doctor’s identity to buy drugs, including opioids like fentanyl, the doctor said.
They could also attempt to impersonate a doctor to provide an expert opinion or for an advertisement, as the New York Times recently reported was occurring using AI to impersonate real doctors.
The dataset was so big that if the person committing fraud was asked to verify their identity, they could immediately prove it, with second, third and fourth tier documents, the anonymous doctor said.
The FAQ document said South Eastern Sydney local health district will reimburse the cost of renewing identification documents including passport, drivers licence, and birth certificate.
A NSW Health spokesperson said the agency took “the privacy of our patients and our staff very seriously and we sincerely apologise to the impacted staff in both districts”.
“All documents were removed, and a full investigation is under, including forensic analysis,” the spokesperson said.
“The districts have conducted privacy impact assessments and have directly contacted affected clinicians to provide information. The districts have also engaged IDCare, Australia’s identity and cyber support service, to provide free advice and support to staff.
“The documents do not contain patient records or other patient identifiers.”
A spokesperson for the NSW branch of the Australian Medical Association said the data breach was “a concerning incident”.
The AMA spokesperson commended both districts for their handling of the incident, particularly contacting every doctor affected and providing support.
Dr Nicholas Spooner, the NSW president of the doctors’ union, the Australian Salaried Medical Officers Federation, said it was “deeply concerning that the private and highly sensitive data of doctors has been handled so recklessly by NSW Health, leaving them exposed to identity theft and fraud”.
“Doctors should not have to fear that the very system they serve cannot even guarantee the security of their personal information,” Spooner said.
“This breach highlights a disturbing double standard. While NSW Health is quick to try to silence doctors who attempt to speak out about unsafe staffing levels and patient risks on social media, it cannot put in place even the most basic protections to safeguard their personal data.”
Spooner said: “NSW Health has left doctors vulnerable to serious risks through its own mismanagement.”
