A Wellington, New Zealand pharmacy found itself racing to contain a data leak after a configuration error on its website caused patients' private messages — submitted through a standard "contact us" form — to become publicly visible online. Unichem Petone confirmed it has since removed the exposed content and is notifying the 29 affected patients. The incident is a reminder that patient-facing web features, often treated as low-risk utilities, carry real disclosure risk when misconfigured.

The structural problem

Contact forms are among the most commonly deployed features on healthcare provider websites, and they are rarely subjected to the same security scrutiny as clinical systems or EHR integrations. Patients routinely use them to ask questions about prescriptions, refills, or sensitive health conditions — assumptions built on an expectation of privacy that basic web hygiene is supposed to protect.

When form submissions are logged, cached, or routed through third-party services without appropriate access controls, the resulting exposure can be functionally equivalent to leaving paper records in a public waiting area. The content may be indexed by search engines before any error is detected, which is what appears to have driven the "scrubbing" effort Unichem Petone undertook after discovery.

What this looks like in practice

The Unichem Petone incident involved a relatively small patient count — 29 individuals — but the remediation effort illustrates how costly even a contained exposure can become. Removing content from the live internet requires coordinating with search engine cache removal tools, confirming that no third-party crawlers have archived the data, and documenting the cleanup for notification and regulatory purposes.

New Zealand's Privacy Act 2020 governs this type of incident, and the Office of the Privacy Commissioner can require notification and corrective action. The regulatory mechanism differs from the US framework under HIPAA and the HHS Office for Civil Rights, but the underlying compliance logic is similar: covered entities must have technical and administrative safeguards in place to prevent unauthorized disclosure, and incidents must be assessed for notification obligations regardless of the number of affected individuals.

Where this lands for US practices

For US-based independent practices and pharmacies, the incident points to a category of infrastructure that frequently escapes formal risk assessment: patient-facing web forms, appointment request tools, and similar front-end features that sit outside the EHR but still collect health-related information.

Practices should confirm that any web form collecting patient information — even general inquiries — routes submissions through encrypted channels, is not logged in publicly accessible server directories, and is reviewed as part of periodic risk analysis. Third-party form plugins and contact management tools used on practice websites warrant the same vendor oversight process applied to any business associate handling protected health information.

The small scale of this incident should not be read as a signal that the risk category is minor. A misconfigured form on a higher-traffic site, or one that remained undetected for longer, would produce a materially different outcome.