kiwinewsdesk.com
New Zealand

Cheryl Horrell says Naturalwear privacy breach left cancer survivors feeling helpless

A 75-year-old cancer survivor says she felt helpless after companies found to have misused a confidential support-database for advertising could not pay the full damages ordered.

Kiwi News Desk··6 min read
Cheryl Horrell represented herself in privacy proceedings against Naturalwear-linked companies.

Cheryl Horrell represented herself in privacy proceedings against Naturalwear-linked companies.

Cheryl Horrell says she felt helpless after private details about cancer survivors were used for advertising and the companies found to have breached her privacy were later unable or unwilling to pay the full damages ordered. The 75-year-old represented herself through a long process involving the Privacy Commission and the Human Rights Review Tribunal. The breast prosthesis companies involved were ordered to pay her more than $10,000 in damages after information from the Canterbury-West Coast Cancer Society's confidential client database was misused in 2016.

The case is uncomfortable because the information at the centre of it was not ordinary marketing data. It related to people who had been through breast cancer and were connected with a support organisation. Horrell said she was furious that painful, private details had been used to target her and others with advertising. The society said it did not pursue the matter in court because of the cost and because it did not want to re-traumatise clients. That left Horrell carrying much of the fight herself.

Sole director Richard Brady denied accessing the database but accepted he may have somehow used the names of people on it. Horrell said Brady later told her the companies could not pay the full amount or could pay only in small instalments, despite another of his companies receiving more than $11 million in taxpayer funding. That detail has made the story about enforcement as much as privacy. A tribunal order can recognise harm, but a survivor may still feel exposed if payment and accountability remain difficult.

Privacy law depends on trust. People share sensitive health information with charities, medical providers and support groups because they need help, not because they expect to become a sales list. When that boundary is crossed, the damage is not limited to one piece of mail or one advertisement. It can make people less willing to seek support, join databases, attend services or tell organisations what they need. For cancer survivors, that can be especially harmful because support networks often depend on accurate and personal information.

The case also shows the burden placed on individuals when systems fail. Horrell's persistence produced a tribunal outcome, but most people do not have the time, health, legal confidence or emotional stamina to pursue a privacy breach for years. If enforcement relies too heavily on affected individuals pushing through every step, the people most harmed may be least able to keep going. Organisations holding sensitive data should therefore treat privacy not as a compliance formality, but as part of care.

The lesson for charities, health-adjacent businesses and service providers is direct: client databases are not business assets to be repurposed without consent. The lesson for regulators and policymakers is also clear. Remedies need to be meaningful after the decision, not only on paper. Horrell's case has made visible the human cost of a breach that involved vulnerable people. The next question is whether the system can make accountability feel real for those whose private lives were used without permission.

More in New Zealand