The Women's and Children's Hospital in Adelaide, Australia, accidentally exposed thousands of children's patient records, test results and other confidential information online for about 13 years. Patients who were treated at the hospital for whooping cough, gastro and respiratory infections between 1996 and 2005 were impacted in the breach.
The sensitive information was found embedded in a PowerPoint presentation on infectious diseases and published on the hospital's website back in 2005. Exposed data included the names, dates of birth and test results of more than 7200 children.
The presentation was removed from the website in 2016, but had been uploaded with the embedded data to two document-sharing websites - dokumen.tips and docslide.com.br - without authorization. The presentation has since been removed. The presentation was also found to be uploaded to four other file-sharing websites, none of which contained the embedded data.
The gaffe was uncovered by a parent who searched for their child's name online and discovered a link to the presentation and immediately alerted authorities.
According to SA Health, the presentation was downloaded and viewed more than 300 times. However, is still unclear if the data was saved or accessed by any malicious entities.
Phil Robinson, executive director of corporate services at Women's and Children's Hospital, said there is currently no indication that any SA Health patient records or information system has been breached.
“The patient information was included in an academic presentation on childhood infections that was posted to the WCH website in 2005,” Robinson said in a statement. “Because the author did not remove the source data in the presentation it was able to be accessed online.
“Our IT security team advise that the risk of anyone discovering the embedded information within the presentation is extremely low. Once we were alerted to the error late Wednesday afternoon, we identified the nature of the information and contacted the website administrators who removed the presentation containing the data by Thursday afternoon. However, because the data was stored in a cache, it wasn’t completely removed from the internet until late last night."
SA Health said it is reviewing all PowerPoint presentations in the public domain to ensure no sensitive patient data has been accidentally embedded.
“I would like to apologize to those affected by this data error," Robinson said. "This was a regrettable incident from our perspective."