Technology
Delay in revealing theft of medical data labelled 'unacceptable'
Key Points
Delay in revealing Partnered Health breach and stolen patient data 'unacceptable' Thu 16 Jul 2026 at 6:00pm In short: A cybersecurity expert has labelled Partnered Health's delay in revealing a data breach to the public "unacceptable". The company, which runs more than 60 health clinics nationwide, took more than three weeks to notify potentially impacted patients. Partnered Health has established a support page for impacted patients.
Delay in revealing Partnered Health breach and stolen patient data 'unacceptable'
Thu 16 Jul 2026 at 6:00pm
In short:
A cybersecurity expert has labelled Partnered Health's delay in revealing a data breach to the public "unacceptable".
The company, which runs more than 60 health clinics nationwide, took more than three weeks to notify potentially impacted patients.
What's next?
Partnered Health has established a support page for impacted patients.
A cybersecurity expert has labelled the delay between Partnered Health identifying it had been the target of a hack and notifying the public as "unacceptable".
The company, which runs more than 60 health clinics nationwide, said it first became aware a "malicious actor" had accessed data from some of those clinics on June 23.
The patient information obtained by the hackers potentially included names, dates of birth, addresses, Medicare numbers, treatment details and notes written by healthcare professionals during consultation.
Partnered Health did not alert the public or those potentially impacted by the hack until yesterday.
Fariha Jaigirdar, a lecturer in cybersecurity at Deakin University, said hackers can do a lot of damage in 22 days.
"It takes one day, or even hours, for hackers to use a combination of the information that has been stolen to crack an individual's system," Dr Jaigirdar said.
"Obviously this (delay) is not acceptable."
Partnered Health said it wanted to identify which of its clinics were impacted before alerting the public.
"We wanted to avoid causing undue concern and confusion by notifying people before we had a reliable understanding of what had occurred and who was affected," a spokesperson said.
"Investigations of this nature can be extremely complex and take time to complete accurately, and there is nothing to be gained by communicating inaccurate information regarding a serious incident such as this."
The early part of the investigation has determined that 21 clinics were impacted.
The company said it would not comment on any correspondence received from the hackers during the investigation.
'Very scary' information stolen
Last year the Office of the Australian Information Commissioner received 1,205 data breach notifications.
Health providers were the single largest source of those notifications, reporting more than 200 breaches.
Dr Jaigirdar said this is because the information they keep is both highly sensitive and very useful.
"The information that has been stolen is very scary," she said.
"(The hackers) can use it for a combination of things, such as creating usernames and passwords.
"(To create passwords) people sometimes use a combination of their name, address and Medicare number."
Given the potency of the information they hold, Dr Jaigirdar said health companies should be required to disclose that they were victims of a cyber attack within 48 hours.
While not all those subsequently notified would have had their data stolen, she said changing passwords as a precaution was preferable to having a bank account accessed.
A serious erosion of trust
Christopher Rudge, an expert in health law at the University of Sydney, was one of those who received a message from his medical clinic telling him his information had potentially been accessed.
He said the fact that doctor's notes might have been accessed was particularly distressing.
"What did I tell the GP and what is out there in the world now?" he said.
"What will I tell GPs in the future?
"Once trust is eroded or diminished, it can have knock on effects on the health system."
He described the relationship between a doctor and patients as "akin to priest and parishioner" but said the old rules around confidentiality were breaking down.
"In the modern digital world, the practitioner can do everything in their power to secure documents, but the system itself is vulnerable.
"It's a sign of how archaic our old notions of confidentiality have become."
Partnered Health successfully applied for an injunction preventing anyone in Australia from publishing information obtained through the hack.
But Dr Rudge said this would have limited practical effect.
"The problem is, of course, that things are published online anonymously and published in areas of the internet that are very hard to police.
"The injunction is very easy to get, but the level of protection that it gives to those who have had their data breached is very low."
He said every effort needed to be made to prevent data being taken in the first place.
Partnered Health has established a support page for impacted patients.