This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

Sonic HealthPlus / BUPA

Summary

Sonic HealthPlus, a medical services provider contracted by BUPA to conduct health assessments for visa applicants, accidentally emailed the sensitive personal and health information of 317 people to a member of the general public in August 2019. The breach exposed highly sensitive medical data including health assessment results, passport details, and personal information of people applying for Australian visas, highlighting the risks of human error in handling confidential medical records.

What Happened

Misconfiguration. A Sonic HealthPlus staff member made an email error that resulted in a spreadsheet containing the personal health information of 317 visa applicants being sent to an unintended recipient—a member of the general public. The spreadsheet included names, dates of birth, addresses, passport numbers, visa application details, and results of medical examinations required for Australian visa processing. The information was particularly sensitive because it included health assessment outcomes that could reveal medical conditions, disabilities, or other health issues that visa applicants are required to disclose. The recipient who received the misdirected email contacted authorities, and an ABC investigation revealed the extent of the breach.

Impact on Individuals

  • Highly Sensitive Health Data: Medical assessment results for visa applications exposed
  • Passport Information: Passport numbers and travel document details compromised
  • Visa Application Details: Information about immigration applications and personal circumstances revealed
  • Health Conditions: Potential disclosure of medical conditions or disabilities
  • Small Affected Group: 317 individuals had comprehensive personal and medical data exposed
  • Vulnerable Population: Visa applicants particularly concerned about privacy during immigration process

While the number of affected individuals was relatively small, the sensitivity of the exposed health and immigration data was significant.

Response

Once notified of the error, Sonic HealthPlus immediately contacted the unintended recipient and requested deletion of the email and attachment. The company reported the breach to the Office of the Australian Information Commissioner and notified all 317 affected visa applicants. Sonic HealthPlus and BUPA reviewed their data handling procedures and implemented additional safeguards to prevent similar email errors, including enhanced verification steps before sending files containing sensitive personal information. The incident prompted discussions about the security practices of medical contractors performing government-mandated health assessments and the need for stricter protocols when handling visa applicant data. The breach demonstrated how a simple human error—sending an email to the wrong recipient—can result in a significant privacy breach when dealing with highly sensitive information. +++

Verification Source: View original statement