This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

Ambulance Victoria

Summary

Ambulance Victoria exposed staff members' personal mobile phone numbers and rostering status through a misconfigured intranet page accessible to the entire workforce in April 2024. The Victorian Ambulance Union was notified of the breach and demanded complete removal of mobile numbers, staff notification, and an audit of access duration. This incident marked the third privacy breach at Ambulance Victoria within a year, raising serious concerns about the organization's data protection practices.

What Happened

In April 2024, Ambulance Victoria staff members' personal mobile phone numbers and rostering information were inadvertently made accessible to the entire workforce through an internal intranet page. The misconfiguration allowed any Ambulance Victoria employee to view colleagues' private contact information and work schedules, which should have been restricted to authorized personnel only.

The Victorian Ambulance Union (VAU) was notified of the exposure and immediately raised concerns with management. The organization temporarily took down the offending intranet page but the VAU pressed for more comprehensive action including permanent removal of mobile numbers from such systems, direct notification to all affected staff, and a thorough audit to determine how long the information was accessible.

This breach followed a troubling pattern of privacy incidents at Ambulance Victoria in 2023:

  • May 2023: Confidential drug and alcohol test results of hundreds of employees were published on the intranet
  • August 2023: Access restrictions were mistakenly lifted, exposing additional private staff details

The repeated nature of these breaches suggested systemic problems with access controls, data governance, and security awareness within the organization.

Impact on Individuals

The breach exposed Ambulance Victoria staff members' personal mobile phone numbers and rostering information, creating several risks:

Personal safety concerns: For paramedics dealing with potentially hostile patients or family members, exposure of personal contact details creates direct safety risks. Ambulance workers often face workplace violence and may need to maintain privacy about their personal contact information and work schedules.

Harassment and unwanted contact: Private mobile numbers could be used by colleagues for inappropriate contact or by others who gained unauthorized access to the intranet.

At-risk staff particularly vulnerable: At least one staff member identified as "at-risk" had been affected by previous privacy breaches and had already changed their mobile number four times. This latest breach would require a fifth number change, causing significant disruption and ongoing safety concerns.

Rostering information exposure: Knowledge of staff work schedules could enable stalking, harassment, or other targeted harmful behavior.

While the breach was limited to internal workforce exposure rather than external attackers, the impact on vulnerable staff members was substantial. For paramedics who may have protection orders or safety concerns related to their work, even internal exposure of contact information represents a serious privacy and safety violation.

Organisational Response

Upon notification by the Victorian Ambulance Union, Ambulance Victoria temporarily removed the problematic intranet page. However, the union criticized this response as insufficient and demanded:

  • Complete and permanent removal of all mobile phone numbers from accessible systems
  • Direct notification to all affected staff members
  • A comprehensive audit to determine how long the information was publicly accessible
  • Implementation of stronger access controls to prevent future incidents

The Victorian Ambulance Union condemned Ambulance Victoria's "appalling recent record" on protecting staff privacy, highlighting the pattern of repeated breaches within a short timeframe. The union's strong language reflected frustration with the organization's apparent inability to implement basic privacy protections despite multiple incidents.

The breach raised questions about:

  • Why personal mobile numbers were stored on broadly accessible intranet pages
  • What access controls and testing procedures existed for intranet systems
  • Whether lessons were learned from the 2023 privacy breaches
  • What consequences, if any, existed for repeated privacy violations

The incident underscored challenges faced by emergency services organizations in balancing operational communication needs with staff privacy and safety. While rostering and contact information serves legitimate purposes, the repeated exposure of this sensitive data suggested inadequate security awareness and insufficient technical controls to protect employee information.

[extra.impact] affected_individuals = 0 individuals_note = "" data_volume_gb = 0 record_count = 0 financial_cost_total = 0 ransom_demanded = 0 ransom_paid = 0 estimated_remediation = 0 downtime_hours = 0 downtime_note = "" +++

Verification Source: View original statement