This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

Neoclinical

Summary

Neoclinical, a medical data storage and management provider servicing Australian healthcare organisations, exposed thousands of patient medical histories in a data breach in August 2019. The breach compromised highly sensitive health information including medical diagnoses, treatment histories, prescriptions, and test results stored on behalf of doctors, clinics, and other healthcare providers. The incident highlighted the risks of centralised medical data storage and the vulnerability of third-party health IT providers.

What Happened

Misconfiguration. Neoclinical's systems were improperly configured, leaving patient medical records and health information publicly accessible without adequate security controls. The exposed data included comprehensive medical histories, diagnostic information, treatment plans, prescription records, pathology results, and personal details of patients whose healthcare providers used Neoclinical's data management services. The breach affected a cloud-based system that multiple medical practices and healthcare organisations relied upon to store and manage patient records. The vulnerability was discovered by security researchers who alerted Neoclinical to the exposure.

Impact on Individuals

  • Comprehensive Medical Exposure: Complete health histories including diagnoses, treatments, medications, and test results compromised
  • Highly Sensitive Conditions: Potential exposure of mental health conditions, sexual health issues, addiction treatments, and chronic diseases
  • Privacy Invasion: Medical information patients shared in confidence with their doctors exposed to unauthorised parties
  • Discrimination Risk: Health conditions could be used for employment or insurance discrimination
  • Permanent Record: Medical histories cannot be changed, creating lifelong vulnerability
  • Multiple Providers: Patients may not have known which healthcare providers used Neoclinical's services

The breach was particularly serious because medical records contain some of the most sensitive personal information, covering conditions and treatments patients may never want disclosed.

Response

Neoclinical immediately secured the exposed systems and launched an investigation to determine the extent of the breach and whether unauthorised parties had accessed the patient data. The company notified affected healthcare providers who used its services, and those providers were responsible for informing their patients about the potential exposure of medical records. Neoclinical engaged cybersecurity experts to conduct a comprehensive security audit and implement enhanced access controls and encryption. The incident was reported to the Office of the Australian Information Commissioner. The breach raised serious questions within Australia's healthcare sector about the security practices of third-party medical data storage providers and the need for stricter regulatory oversight of health IT vendors. Healthcare providers were forced to reassess their vendor security requirements and data storage arrangements. +++

Verification Source: View original statement