#privacy: Personal data of Visa applicants accidentally leaked 

The personal data of 317 people applying for Australian Visas were accidentally emailed to an incorrect address due to a “typo”. 

In an investigation by ABC, it was uncovered that a spreadsheet had been sent accidentally to an unknown individual’s email address. 

The breach happened in 2015 by a subcontractor of Bupa, Sonic HealthPlus (SHP). When applying for visas and permanent residency in Australia, Bupa is contracted by the Department of Home Affairs in order to assess the health of the individuals applying. 

From a Freedom of Information request, it was revealed that an SHP employee had sent the names, dates of births, and passport numbers of 317 people, as well as brief notes and comments about the status of medical tests being conducted, to the unknown Gmail address. 

Dr Baer Arnold, a privacy and health law expert from the University of Canberra, expressed his concerns about the privacy breach.

“The idea that we have an inadequately-supervised subcontractor using something like Gmail to transfer sensitive, personal health information is utterly appalling.”

The Department of Home Affairs stated that the documents leaked did not contain actual personal client medical records, but only bio-details of visa applicants. 

Additionally, it was identified that the employee, from the subcontractor SHP, who had accidentally sent the email, was removing the data of visa applicants from “authorised departmental health systems” and placing them in Excel spreadsheets as status reports to send to Bupa. 

The information being extracted and shared had been done against without Bupa’s and SHP knowledge, and against their department policies. As a result the department of chief medical officer of SHP had to inform Bupa that SHP had fail to comply with privacy obligations that had been set out in its contract. 

“Bupa acknowledges that the process used to share the document containing the data was outside of the authorised departmental health systems,” a spokesperson from Bupa said. 

After numerous attempts to recall the email, both SHP and Bupa ended up contacting Google Australia to get the email back, five weeks after the incident. 

Google removed the email from the receiver’s inbox after notifying them. 

Dr Baer Arnold added:

“We’re increasingly relying on agents in the private sector to do work for government and many of those agents clearly are just not up to it.

“If this information is not encrypted, if it’s being shared by badly-supervised subcontractors using a Gmail address, we’re not up to speed. We need to do something about it.”


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.