An error in the Australian Health Practitioner Regulation Authority’s (AHPRA) new online portal resulted in the unintended disclosure of contact information for approximately 3,000 nominated supervisors to their supervisees.
AHPRA has confirmed a privacy breach affecting over 3,147 health practitioner employers and supervisors, raising concerns among those in the healthcare sector.
Although classified as a relatively minor breach, given that only email addresses and phone numbers were exposed—specifically to a targeted group of other health practitioners—the incident shines a light on the vulnerabilities inherent in digital systems.
This situation arose during the registration renewal process within AHPRA’s newly implemented online portal. Practitioners who were required to name their supervisor or approved employer might have inadvertently seen their contact details during this process.
The displayed information was supposed to vanish after the practitioner confirmed their supervision or employment arrangements, suggesting a flaw in the portal’s privacy protocols.
In accordance with standard procedure, AHPRA has reported the breach to the National Health Practitioner Ombudsman and Privacy Commissioner, along with notifying affected individuals about the exposure of their contact information.
The regulator has also reached out to those whose data was compromised to ensure that the information has not been replicated, stored, or further disseminated by recipients.
To mitigate future risks, AHPRA has altered the portal to prevent the display of a supervisor’s or employer’s contact information in similar circumstances, emphasizing their commitment to privacy responsibilities. A spokesperson acknowledged the seriousness of the breach, stating, “Any breaches can erode confidence in us and the measures we have in place to protect information.”
The National Health Practitioner Ombudsman and Privacy Commissioner’s office has criticized the rollout of AHPRA’s online registration portal in their annual report for 2025. Launched just two months prior to the renewal period for Australia’s largest group of registered health practitioners, the portal experienced a surge in complaints.
In May 2025 alone, the Ombudsman recorded a 250% increase in complaints compared to the previous year, reflecting widespread issues from technical difficulties to privacy concerns. Practitioners reported challenges such as inaccessible password reset options and barriers associated with necessary multifactor authentication procedures.
Regarding the privacy breach, National Health Practitioner Privacy Commissioner Richelle McCausland confirmed that her office was duly notified and is ensuring compliance with the Notifiable Data Breaches Scheme. She encouraged individuals worried about potential privacy violations to reach out directly to the Commissioner’s office, while also directing them to submit complaints to AHPRA for an initial response.
