Partnered health, owner of GP clinics in Australia, suffers significant data breach

July 17, 2026 |

Partnered Health, a company that owns GP Clinics (and wants to buy more), has suffered a cyber attack in which personal information has been exfiltrated.  Stolen.  Health providers are by far and away the largest sector which suffers reportable data breaches.  Health service providers are notorious for inconsistent and sometimes completely unacceptable privacy and data security practices.  Which seems counter intutive given the strict doctor patient confidentiality obligations and the extensive regulation of the industry.  The explanation is depressingly simple.  First, the culture is poor.  Senior medical professionals are commonly resistant to following proper protocols when it involves data security.  There have been cases where doctors have taken photographs of post operative results and shared with other professionals without the consent of patients.  This “rise above” the rest attitude is poor leadership which trickles down to more junior ranks.  Secondly, clinics and hospitals have large numbers of staff, some casual, using the many terminals and other means of accessing medical records. That poses real problems with password controls and following proper procedure.  Thirdly, there is an IT challenge. Hospitals and clinics often cobble together programs and systems, especially where there is a merger or a takeover, rather than starting fresh with a new system.  That commonly leads to gaps in security.  Fourthly, with a significant churn in staff there is a constant problem of withdrawing authorisations.

The ABC reports on a significant data breach at Partnered Health in Medical records and personal details stolen in GP network cyber attack.   Partnered put out a statement which confirms that data including name, date of birth, address, Medicare and insurance numbers as well as medical information were stolen.  Enough to engage in some identity theft and also very sensitive information.  The information provided is very general. Partnered has come in for some well earned criticism for delaying telling patients for weeks.  The hack was detected on 23 June and Partnered waited until 15 July to publicly advise the public of the attack.

By now there is a good process in dealing with data breaches and poor responses.  Partnered’s approach to date has been less than optimal.

Obvious questions include why data was not siloed and whether it was encrypted.  A hacker accessing names and addresses is one thing.  Having access to notes and medical information is another. It suggests a rather simple set up where no additional authorisation was required to access such sensitive material.  All in one folder perhaps.  Interestingly sites attacked were not all of Partnered’s facilities but less than a quarter of them.  Partnered obtained an ex parte injunction, which is becoming usual practice.  I am not aware of any action being taken for breach of any such injunction.

The article provides:

A network of GP practices and skin cancer clinics has been hit in a major cyber attack, with personal medical records stolen.

Partnered Health, which runs 57 clinics across the country, posted an incident report to its website confirming that patients’ medical records were accessed and taken in the cyber breach.

It became aware of the cyber attack on June 23 and has been working with agencies including the Australian Cyber Security Centre and police.

Some affected patients were contacted late this afternoon.

Partnered Health has listed 16 clinics where patient information may have been stolen, including personal details and sensitive medical records like consultation notes, referral letters and pathology results.

It also warns that details like patient’s names, contact details, addresses, Medicare and private health insurance details might have been taken.

They include practices in Melbourne, Sydney, Canberra, Gold Coast, Sunshine Coast and Coffs Harbour.

It has listed another five, including some in Western Australia, where it is still investigating whether details have been stolen.

In a statement online, Partnered Health revealed it has engaged cyber experts to continue assessing exactly what has been stolen, but it is clear that some information has been taken.

“Our investigations to date have confirmed that personal information, including health information, was taken from some of the clinics in our network,” it said.

“We are continuing to investigate and we are communicating with patients from impacted clinics.”

The healthcare provider said it has taken legal steps to try and protect any information taken.

“To help protect our patients and people we have obtained an interim injunction from the Supreme Court of New South Wales ordering that the accessed data is not used or published,” it said.

The medical network is warning patients to be wary of scam contacts that may refer to their personal medical records in an effort to appear more convincing.

It has been in contact with Services Australia in an effort to ensure additional monitoring for anyone whose Medicare details might have been stolen.

Government cyber authorities have recently stepped up warnings to businesses and any other agencies holding sensitive personal details to step up their cyber security.

Yesterday the Australian Signals Directorate (ASD) joined with partner agencies around the world to warn of a surge of Russian-linked cyber attacks targeting poorly protected router networks, particularly in critical infrastructure.

And the ASD has previously warned that artificial intelligence will accelerate the frequency and complexity of cyber attacks, urging anyone at risk to step up their cyber security.

Partnered Health recently announced it is being acquired by health insurer Bupa.

Partnered statement provides:

On 23 June 2026, Partnered Health became aware that a malicious actor accessed some of our data.

In response, Partnered Health engaged specialist cyber experts to provide advice. We took immediate steps to contain the incident and assess whether personal information was accessed.  This investigation remains ongoing.

Our investigations to date have confirmed that personal information (including health information) was taken from some of the clinics in our network. We are continuing to investigate the extent to which personal information has been impacted by this incident and are communicating with patients from impacted clinics.

As a health services provider, we know our patients and our people trust us with personal and medical information and we sincerely apologise for any concern and inconvenience this may cause them.

Partnered Health has reported the incident to the Australian Cyber Security Centre, the Office of the Australian Information Commissioner and law enforcement, and we are continuing to work with the authorities.

We have set up a dedicated website page at www.partneredhealth.com.au/support with further information, including steps our patients can take to help protect their personal information. We will provide updates on the website as our investigation continues and new relevant information becomes available.

To help protect our patients and people, we have obtained an interim injunction from the Supreme Court of New South Wales ordering that the accessed data is not used or published.

Information that may be affected

This incident may have affected personal information patients have provided to us, or which was collected while providing patients with healthcare services.

This may include:

    • name, date of birth, address and contact details;
    • Medicare number and, where applicable, private health insurance or Veteran Card (DVA) number or concession card number; and
    • medical information and treatment details, including consultation notes, referral letters, and pathology or diagnostic results recorded by a GP or other medical professionals at our clinics.

Steps people can take to help protect their personal information

While we are still investigating the data and do not currently know the extent of personal information that has been impacted, as a precaution people can take the following steps to help protect their information:

    • be alert to any suspicious emails, text messages or phone calls, including communications that are disguised to look like they come from someone you know or trust;
    • verify the identity of the sender before responding, including checking email addresses and phone numbers rather than relying on the name displayed;
    • do not click on links or open attachments in messages that look unusual or unexpected;
    • ensure you use strong unique passwords for all accounts and enable multi-factor authentication where available;
    • never provide personal, financial or account information in response to an unsolicited request, regardless of how legitimate it appears;
    • if you’re unsure whether a link or offer is genuine, go directly to the organisation’s website or contact them using details you already have, rather than the details provided in the message;
    • monitor your accounts for unusual activity and contact your bank if you notice anything suspicious; and
    • visit www.scamwatch.gov.au for further information on current scam trends.

The practices that have been impacted include:

    • Blackburn Road Medical Centre
    • Broadway General Practice
    • Bundall Medical Centre
    • Cardiff Medical Centre & Skin Cancer Clinic
    • Castle Hill Family Doctors
    • Champion Drive Medical Centre
    • Chancellor Park Family Medical Practice
    • Dromana Family Doctors
    • Dural Medical Centre
    • Joondalup City Medical Group
    • Kealba Family Practice
    • Mornington Family Doctors
    • Noosaville Seven Day Medical Centre
    • North Canberra Family Practice
    • Park Beach Family Practice
    • Park Orchards Family Practice
    • Rockingham City Family Practice
    • Sans Souci Medical Practice
    • Templestowe District Medical Centre
    • Wentworth Avenue Family Practice
    • Wyong Family Practice

 

Leave a Reply