Medical Records Stolen in Cyber Attack on Partnered Health GP
Medical Records Stolen in Cyber Attack on Partnered Health GP Network Spanning 16 Clinics Nationwide

A network of general practice and skin cancer clinics across Australia has been hit by a major cyber attack, with sensitive medical records and personal patient information confirmed stolen from at least 16 locations, the operator of the clinics said this week.

Partnered Health, which operates 57 clinics nationwide, posted an incident report to its website confirming that patients' medical records were accessed and taken during the breach. The company said it first became aware of the cyber attack on June 23 and has since been working with agencies including the Australian Cyber Security Centre and police to investigate the incident.

What Was Taken

Partnered Health has identified 16 clinics where patient information may have been stolen, including sensitive medical records such as consultation notes, referral letters and pathology results. The company also warned that personal details, including patients' names, contact information, addresses, and Medicare and private health insurance information, may have been compromised in the breach.

The affected clinics span multiple states and territories, including locations in Melbourne, Sydney, Canberra, the Gold Coast, the Sunshine Coast and Coffs Harbour. One of the impacted facilities, the Cardiff Medical Centre and Skin Cancer Clinic, has been publicly identified among those believed to have been affected.

Beyond the 16 confirmed clinics, Partnered Health said it has identified another five locations, including some in Western Australia, where it is still investigating whether patient details were stolen as part of the breach.

Company Response

In its statement, Partnered Health confirmed that its ongoing investigation had established that personal information, including health information, was indeed taken from some clinics within its network.

"Our investigations to date have confirmed that personal information, including health information, was taken from some of the clinics in our network," the company said. "We are continuing to investigate and we are communicating with patients from impacted clinics."

The healthcare provider said it has engaged cybersecurity experts to continue assessing the full scope of what was stolen during the breach, and confirmed that some affected patients were contacted directly late Tuesday afternoon as part of its ongoing notification process.

Legal Action Taken to Protect Stolen Data

Partnered Health said it has taken legal steps in an attempt to prevent the misuse of the stolen information. The company confirmed it has obtained an interim injunction from the Supreme Court of New South Wales specifically ordering that the accessed data not be used or published.

"To help protect our patients and people we have obtained an interim injunction from the Supreme Court of New South Wales ordering that the accessed data is not used or published," the company said.

Warning Over Potential Scams

Partnered Health has warned patients to remain vigilant against potential scam contacts that could reference their stolen personal medical records in an effort to appear more legitimate or convincing. The company said it has also been in contact with Services Australia to help arrange additional monitoring for any patients whose Medicare details may have been compromised in the breach.

Part of a Broader Pattern of Warnings

The cyber attack on Partnered Health comes amid a broader push by Australian government cybersecurity authorities to encourage businesses and other organizations holding sensitive personal data to strengthen their security measures. Just a day before Partnered Health's disclosure, the Australian Signals Directorate joined with partner agencies from around the world to warn of a surge in Russian-linked cyber attacks specifically targeting poorly protected router networks, with a particular focus on critical infrastructure sectors including defence, energy and communications.

The Australian Signals Directorate has also previously warned that artificial intelligence is expected to accelerate both the frequency and complexity of cyber attacks going forward, urging any organizations at heightened risk to take proactive steps to strengthen their cybersecurity posture.

A Sector Under Increasing Pressure

The breach adds to a growing list of cyber attacks targeting Australian organizations that hold large volumes of sensitive personal and health-related information. Healthcare providers in particular have become increasingly attractive targets for cybercriminals given the sensitive and highly valuable nature of medical records, which often contain a combination of health information, government identification numbers and financial details that can be exploited for identity theft or fraud.

The scale of the Partnered Health breach, spanning dozens of clinics across multiple states, underscores the challenges healthcare networks face in securing patient data across large, distributed systems of clinics and practices, particularly as cyber threats continue to grow more sophisticated.

Acquisition by Bupa in the Background

The cyber attack comes as Partnered Health is in the process of being acquired by major health insurer Bupa, a deal that had been announced prior to the breach becoming public. It remains unclear what, if any, impact the cyber attack and its fallout could have on the pending acquisition, though the timing adds an additional layer of complexity to the transaction as both companies navigate the aftermath of the breach alongside their ongoing merger process.

What Patients Should Do

Patients who may have visited one of the affected clinics are being urged to remain alert for any suspicious contact referencing their personal or medical information, and to verify the legitimacy of any communications claiming to be from healthcare providers, government agencies or insurers before sharing further personal details. Partnered Health has indicated it will continue directly notifying affected patients as its investigation progresses, while working alongside the Australian Cyber Security Centre, police and Services Australia to manage the fallout from the breach and limit further exposure of the stolen data.

The investigation into the full scope of the breach remains ongoing, and further details are expected to emerge as Partnered Health completes its assessment of the additional five clinics still under review.