The forms included potential clients' names, addresses, e-mail addresses, phone numbers and birthdates, along with the plastic surgery procedures they were considering. No clinical or financial information was accessed.
Harley says the attack was aimed at extorting money from the company.
"We acted immediately to deal with this situation," Harley chairman Peter Boddy wrote in the notification letter. "We have informed the police and will continue to provide whatever assistance they may require to track down the perpetrator of this illegal act, and are also informing the Information Commissioner's Office. At the same time our Web site was taken down while a fix was put in place. Further upgrades will be implemented in the near future."
A spokesman from the Information Commissioner's Office told the Guardian, "We have recently been made aware of a possible data breach involving the Harley Medical Group. We will be making inquiries into the circumstances of the alleged breach of the Data Protection Act before deciding what action, if any, needs to be taken."
Photo courtesy of Shutterstock.