Brisbane mum, Nadine*, booked in for a boob job last September because she was suffering from low self-esteem.
The 41-year-old chose to get 365cc implants after being measured as “less than a 10A” cup size.
She posed for half-naked photos at the surgery to document her breast augmentation and now the images – which show her face – could be in the wrong hands.
While scrolling on Facebook, the mum-of-three discovered the cosmetic surgery company she trusted had clients’ confidential information “hacked” on Friday.
It’s claimed naked photos and medical records of hundreds of women from The Cosmetic Institute (TCI) were published online, The Daily Telegraph reports.
Centennial Lawyers principal solicitor, George Newhouse, says cosmetic surgery is a very sensitive and personal issue.
He told Mamamia if details of medical procedures and photographs have been made public the effects can be catastrophic.
“Public disclosure can affect careers, relationships and even a person’s health and welfare. Public exposure of this kind of intimate information can be traumatic and embarrassing,” he said.
Nadine says she was disappointed when she came across TCI's apology online, rather than being contacted directly.
In the Facebook post, TCI said they were "deeply concerned" to learn of the hacking of confidential data and were "very apologetic" to those who have been affected.
“I’ve been involved in a number of data breaches but, according to reports, this is by far the worst because of the sensitive and intimate nature of the information being released,” Professor Newhouse told The Telegraph.
“This data breach contains highly sensitive information and ... naked photos. I’ve never seen anything like it.”
The lawyer says the data, which is said to date back to 2014, could have been viewed by “potentially millions of people”.
Former TCI client, 20-year-old Jessica Clough, old The Daily Telegraph she felt “violated” and “sick to the stomach”.
“It is supposed to be private and confidential information and they have breached our privacy in the worst possible way,” Ms Clough said.
TCI claim their patient database including pre and post-op photos were not accessed.
However, The Daily Telegraph report before-and-after photos of breast enhancements, home addresses, Medicare numbers and medical history were posted on the internet by The Cosmetic Institute in Bondi Junction.
Queensland client Nadine says she is concerned about potentially having her private details online and what they might do with it.
"The decision to get an augmentation done is something you do very personally," Nadine told Mamamia.
She is not sure if she is one of the victims and not quite ready to find out.
"I don't want to know, because that would frighten me...maybe in a couple of weeks I will," she said.
Nadine says it's concerning that people may have accessed her private information.
"I chose the people who I wanted to know [about my breast surgery], so for somebody to have that information is a little bit daunting."
"It's a very personal journey," she said.
"This procedure for me was because I fed three babies successfully and my self-esteem was low. It was not a sexual thing, it was a self-confidence decision four years in the making."
The mum wants repercussions for the hackers and has urged for TCI to invest in better security for their clients.
"What's done is done. There is nothing we can change," she said.
"The saddest thing is TCI didn't contact me directly and to use social media to inform patients that's pretty bad form."
Podcast: Are your nipples in fashun? (post continues below).
The compromised website was discovered by a Queensland doctor who contacted the media after noticing the data could be accessed by anyone, The Telegraph report.
Another client, Peta Alaban, 29, says she doesn't have a problem with TCI although she says the leak is a little concerning.
"My post-op, pre-op and surgery day care was absolutely amazing. The whole team were incredible. Even now I do not have an issue with TCI, their management or how they are handling the investigation," she said.
"My issue is with the doctor who discovered the leak. Whilst going to the media may not have been illegal, ethically I see many issues," she told Mamamia.
The Cosmetic Institute said they were concerned to learn of the recent unauthorised access of confidential data and apologises to anyone who has been affected.
"Our company server and active patient database meets stringent security requirements. This incident relates to a website enquiry form created and managed by a third party digital agency," a spokesperson told Mamamia.
"On notification the vulnerability was immediately removed and we have engaged an independent security expert to audit the incident.
"Upon initial review, the website analytics have revealed that only one unauthorised party accessed the relevant page for a brief time on Friday the 2nd of June."
The Privacy Commission has asked women who fear their details were leaked to call the hotline on 9258 0066 or email [email protected].
*Nadine's name has been changed.