Partnered Health has disclosed that 21 of its clinics across Sydney, Melbourne, and Canberra were compromised in a data breach on June 23, with a malicious actor accessing sensitive patient information including Medicare numbers, treatment details, and pathology results. The company has obtained an interim injunction from the New South Wales Supreme Court to prevent the data from being used or published, but experts warn that the records could still be sold on the dark web.
Scope of the Breach
The affected data includes consultation notes, referral letters, diagnostic results, private health insurance details, names, dates of birth, and addresses. Partnered Health has contacted affected patients but declined to specify the total number impacted, citing patient interests. The incident has been reported to the Australian Cyber Security Centre, the Office of the Australian Information Commissioner, and law enforcement.
Expert Warnings on Dark Web Sales
Dr. Suelette Dreyfus, a senior lecturer in information systems at the University of Melbourne, stated that medical records are particularly valuable, selling for up to US$250 per record on the hidden market—far exceeding the few cents fetched by basic personal information. She noted that combining medical data with other datasets could build detailed profiles, posing significant privacy risks. Dreyfus also highlighted the possibility that the attackers were commissioned to target a specific company or individual, as seen in the 2018 Singaporean data breach where state actors sought the prime minister's records.
Limited Recourse for Victims
Unlike financial data breaches, victims of medical record theft cannot easily mitigate damage by changing passwords or cancelling cards. Dreyfus emphasized that altering one's medical history is nearly impossible once exposed. She urged Australians to monitor accounts for unusual activity, keep devices updated, and change passwords regularly. She also called for governments and institutions to enhance cybersecurity training, public awareness, and research funding to prevent future attacks.
Previous Australian Cyber Incidents
This breach follows a pattern of healthcare data vulnerabilities in Australia. In 2022, Medibank refused a hacker group's ransom, leading to the publication of 9.7 million customers' personal details on the dark web. In 2019, the Victorian auditor general used basic hacking tools to access sensitive patient data at three hospitals, exposing cybersecurity weaknesses. Dreyfus noted that while medical staff prioritize patient privacy, institutions often neglect cybersecurity, focusing instead on preventing casual information leaks rather than large-scale data theft.



