Australian Medical Records at Risk After Partnered Health Data Breach
Medical Records at Risk After Partnered Health Data Breach

Partnered Health has disclosed that 21 of its clinics across Sydney, Melbourne, and Canberra were compromised in a data breach on June 23, with a malicious actor accessing sensitive patient information including Medicare numbers, treatment details, and pathology results. The company has obtained an interim injunction from the New South Wales Supreme Court to prevent the data from being used or published, but experts warn that the records could still be sold on the dark web.

Scope of the Breach

The affected data includes consultation notes, referral letters, diagnostic results, private health insurance details, names, dates of birth, and addresses. Partnered Health has contacted affected patients but declined to specify the total number impacted, citing patient interests. The incident has been reported to the Australian Cyber Security Centre, the Office of the Australian Information Commissioner, and law enforcement.

Expert Warnings on Dark Web Sales

Dr. Suelette Dreyfus, a senior lecturer in information systems at the University of Melbourne, stated that medical records are particularly valuable, selling for up to US$250 per record on the hidden market—far exceeding the few cents fetched by basic personal information. She noted that combining medical data with other datasets could build detailed profiles, posing significant privacy risks. Dreyfus also highlighted the possibility that the attackers were commissioned to target a specific company or individual, as seen in the 2018 Singaporean data breach where state actors sought the prime minister's records.

Wide Pickt banner — collaborative shopping lists app for Telegram, phone mockup with grocery list

Limited Recourse for Victims

Unlike financial data breaches, victims of medical record theft cannot easily mitigate damage by changing passwords or cancelling cards. Dreyfus emphasized that altering one's medical history is nearly impossible once exposed. She urged Australians to monitor accounts for unusual activity, keep devices updated, and change passwords regularly. She also called for governments and institutions to enhance cybersecurity training, public awareness, and research funding to prevent future attacks.

Previous Australian Cyber Incidents

This breach follows a pattern of healthcare data vulnerabilities in Australia. In 2022, Medibank refused a hacker group's ransom, leading to the publication of 9.7 million customers' personal details on the dark web. In 2019, the Victorian auditor general used basic hacking tools to access sensitive patient data at three hospitals, exposing cybersecurity weaknesses. Dreyfus noted that while medical staff prioritize patient privacy, institutions often neglect cybersecurity, focusing instead on preventing casual information leaks rather than large-scale data theft.

Pickt after-article banner — collaborative shopping lists app with family illustration