A Wellington, New Zealand pharmacy operated under the Unichem Petone banner disclosed that sensitive patient messages submitted through a "contact us" form on its website were inadvertently exposed and indexed on the public internet. The pharmacy said it has since removed the content and is notifying the 29 affected patients. The incident draws attention to a category of data exposure that receives less scrutiny than large-scale breaches: configuration or publishing errors on patient-facing web properties that quietly surface private communications.

The structural problem

Contact forms embedded in pharmacy and clinical practice websites often handle messages that patients treat as private channels — refill requests, questions about prescriptions, descriptions of symptoms, or insurance details. Unlike EHR portals, these forms are frequently managed through general-purpose web content systems or third-party plugins that may not carry the same access controls applied to clinical software.

When submission data is stored or logged in a location accessible to search engine crawlers, the content can be indexed before the error is detected. By that point, cached copies may persist across multiple platforms even after the originating page is corrected, which is why Unichem Petone described its response as "scrubbing the internet" rather than simply taking down a single page.

Why this pattern recurs

• Web properties are treated as marketing assets. Practice websites are typically managed by communications or administrative staff, or by external web agencies, rather than by the personnel responsible for clinical data systems. Security review is often minimal.
• Form submissions are not always classified as health information. Organizations may not recognize that unstructured patient messages contain protected health information, and therefore may not apply the same handling rules they apply to structured clinical records.
• Crawl exposure can be rapid. Search engines index new or changed URLs within hours. A misconfiguration that goes undetected for even a short period can result in cached content that survives the original fix.

What this signals for US-based practices

New Zealand's privacy framework differs from the US Health Insurance Portability and Accountability Act, but the technical failure mode is identical and has appeared in US breach reports. The HHS Office for Civil Rights breach portal includes incidents where patient information was exposed through misconfigured websites, and the HIPAA Security Rule's technical safeguard requirements apply to electronic protected health information regardless of the system in which it sits — including web servers and form-handling infrastructure.

Independent practices that accept patient inquiries through website contact forms should confirm that submission data is routed to secured destinations rather than stored in web-accessible directories, that the forms themselves are excluded from search engine indexing where appropriate, and that any third-party plugins or form services handling the submissions are evaluated under the same risk analysis process applied to other electronic systems touching patient data. A business associate agreement may be required depending on how a third-party form service processes and stores the submissions.

What independent practices should check

• Confirm that patient-facing contact forms do not write submission content to publicly accessible file paths or logs.
• Review robots.txt configuration and any submission-confirmation pages to ensure they do not expose message content to crawlers.
• Verify that third-party form or live-chat tools used on practice websites are covered by signed business associate agreements if they receive, transmit, or store protected health information.
• Include web infrastructure in the organization's periodic risk analysis, not only clinical and billing systems.

The Unichem Petone incident is small in scale — 29 patients — but the mechanism it illustrates is not rare. Contact-form misconfigurations represent a low-visibility exposure class that can affect any practice maintaining a patient-facing website, regardless of size.