1. What happened?
Our security team discovered that an operational database containing sensitive information had been exposed due to a system vulnerability. The exposure was identified during a security review and has since been closed.
2. What information was involved?
The database included names, contact details, and in some cases additional sensitive information such as patient, staff, or user records. No financial account data (such as bank card details) was stored in this database.
3. How did you respond?
Immediately after discovery we:
- Secured the system and blocked further access.
- Began an investigation to understand scope and root cause.
- Notified the Information Regulator in line with POPIA obligations.
- Engaged external cybersecurity experts to assist.
4. Who was affected?
Individuals whose information was stored in the exposed tables — including staff, patients, and system users. We are contacting those affected directly where possible.
5. What are the risks?
The main risk is unwanted contact (phishing, spam, scam attempts) using the exposed details. In rare cases, attackers may attempt to use this data for identity theft or social engineering.
6. What should I do?
- Be alert for emails, SMS or phone calls asking for personal information.
- Do not click suspicious links or open unexpected attachments.
- Monitor your accounts and immediately report suspicious activity.
7. Are you offering any support?
Yes. We have set up a dedicated support line and email address to answer queries. We are also exploring credit-monitoring/identity-protection services for those most at risk.
8. What is being done to prevent this in future?
- Enhanced monitoring and security controls.
- Independent audit of our systems.
9. Who can I contact?
- Dedicated incident support email: [amsio@ams.org.za]
- Telephone helpline: 0861163729
- Log a Data Subject Access Request: https://amsselfserviceportal.powerappsportals.com/dsarequest/
- Information Regulator of South Africa (complaints/escalations): https://eservices.inforegulator.org.za/isupport/default.aspx
Why we are notifying you
POPIA requires a responsible party to notify affected data subjects and the Information Regulator where there are reasonable grounds to believe that personal information has been accessed by unauthorised persons or where the exposure may place individuals at risk. Even though there is currently no evidence of unauthorised access, the fact that the database was publicly reachable constitutes a material security incident that may reasonably give rise to risk. AMS is therefore notifying potentially affected persons and providing guidance to reduce any risk of harm.
Steps you should take now (advice to individuals)
If you believe you may be affected, please consider taking the following protective steps immediately:
- Monitor your financial accounts and statements – watch bank accounts, credit card, and medical billing statements for suspicious transactions or unknown charges.
- Obtain a copy of your credit and identity report from major credit bureaus (where applicable) and review for unknown accounts or activity. Consider a credit or identity monitoring service if available.
- Be alert for phishing and scams – attackers may use personal information to craft convincing phishing emails, SMS (smishing), or phone calls (vishing). Do not click links or open attachments from unexpected senders. Verify requests for personal or financial details by calling known official numbers.
- Change passwords and enable MFA – for any online accounts that use the same or similar password to AMS accounts, change passwords to unique, strong passwords and enable multi-factor authentication (MFA) wherever possible.
- If you receive suspicious contact – confirm the identity of the requester through AMS’ official channels before providing any information. AMS will never ask for sensitive information through unsolicited email or SMS.
- Report suspected identity theft or fraud – if you detect fraudulent activity, promptly report it to your bank, relevant service provider, and your local police and consumer protection agencies.
- Contact AMS – if you would like to confirm whether your records were included or seek assistance, contact AMS’s Information Officer using the contact details below.
AMS Data Subject Access Request portal: POPIA Data Subject Request Form · Customer Self-Service
Confirmations from AMS
- Report filed: AMS confirms it has reported the incident to the Information Regulator in line with POPIA notification requirements.
- No evidence of unauthorised access so far: Based on current forensic checks, there is no evidence at this stage that an unauthorised person accessed or acquired data from the exposed dataset. AMS will promptly notify the Information Regulator and affected persons if evidence emerges that data was accessed.
- Remediation completed: Remediation completed: The database is no longer publicly accessible, it is also no longer accessible to unauthorised internal personnel, and AMS is continuing work with its IT service provider and external cybersecurity specialists to implement additional security controls and monitoring to prevent a recurrence.
Your rights under POPIA
Under POPIA, you have rights, including:
- The right to be notified when your personal information is compromised.
- the right to request access to your personal data; and
- The right to lodge a complaint with the Information Regulator if you are dissatisfied with AMS’s handling of personal information.
AMS will cooperate with the Information Regulator and provide updates as required by law.
AMS contact and support
If you believe your data may be affected or you need assistance, please contact:
- The Information Officer
- Email: amsio@ams.org.za
- Phone: 086 11 63729
