Back to Insights
Breaches4 min read19 July 2026

Partnered Health Breach Exposes Medicare Numbers and Pathology Results Across 21 Australian Clinics

A confirmed intrusion on 23 June 2025 reached patient files at clinics in Sydney, Melbourne and Canberra, putting some of the most sensitive health data imaginable within reach of criminal markets.

t2s
train2secure NewsdeskSecurity awareness team
A photoreal editorial scene inside a quiet Australian medical clinic corridor, fluorescent lighting overhead, a row of c

A criminal gained unauthorised access to Partnered Health's systems on 23 June 2025, stealing Medicare numbers, treatment histories and pathology results from patients across 21 clinics in Sydney, Melbourne and Canberra.

What Was Taken and Why It Matters

Medical records sit at the top of the criminal data hierarchy. A stolen password can be reset in minutes. A Medicare number cannot. Pathology results, diagnoses and treatment histories carry enough personal detail to support fraudulent insurance claims, open financial accounts in a victim's name, or impersonate a patient in a clinical setting. Cybersecurity professionals have documented this dynamic for years, and the Verizon 2024 Data Breach Investigations Report confirmed that healthcare remains one of the most targeted verticals globally, with internal actors and external criminals alike pursuing patient data for its high resale value.

Partnered Health describes itself as one of Australia's largest healthcare providers. The scale of that network means the 23 June intrusion was not a small clinic with a handful of records. It was a significant event touching patients across three major Australian cities.

What Partnered Health Said

The company confirmed the breach publicly and used the phrase "malicious actor" in its disclosure, a standard term indicating an external threat rather than accidental exposure. No specific criminal group or intrusion method has been named publicly as of publication. That gap matters: without knowing whether attackers used phishing, credential stuffing, an unpatched vulnerability or a compromised vendor, patients and the broader healthcare sector cannot fully assess the risk.

Anyone who attended one of the 21 affected clinics and had records stored in those systems should treat their data as potentially compromised. Watch for unexpected Medicare correspondence, unfamiliar charges on any health fund account, or contact from someone claiming to represent the clinic and asking for further personal information.

The Regulatory Dimension

Australia's Privacy Act 1988, enforced by the Office of the Australian Information Commissioner (OAIC), requires organisations to notify affected individuals and the OAIC when a data breach is likely to result in serious harm. Medical record exposure almost always meets that threshold. The OAIC's Notifiable Data Breaches scheme has seen healthcare consistently top the list of reporting sectors for several consecutive years, a pattern that reflects both the sensitivity of health data and the frequency with which it is targeted.

Whether Partnered Health satisfied notification obligations within the required timeframes is a matter the OAIC will likely scrutinise. Patients who believe they have not received adequate notification have the right to submit a complaint directly to the Commissioner.

Which Controls Failed

The absence of a disclosed attack vector is itself a red flag. Mature incident response programmes identify, document and disclose the root cause as part of the notification process. The fact that Partnered Health has not done so publicly suggests either that the investigation is still ongoing or that internal visibility into the network was limited before the breach.

Healthcare organisations routinely struggle with three compounding weaknesses. First, identity hygiene: shared credentials, dormant accounts and service accounts without multi-factor authentication create wide attack surfaces. Second, unpatched internal systems: clinical software often runs on legacy infrastructure where vendors do not push timely security updates and IT teams are reluctant to patch systems that cannot afford downtime. Third, flat network architectures: once an attacker is inside, they can move laterally from administrative systems to clinical record databases without encountering meaningful internal controls.

Any one of these failures could explain a breach of this type. All three together are a reliable recipe for exactly the kind of outcome Partnered Health is now managing.

What Defenders Should Learn

The stolen records from this incident will almost certainly test the Australian dark web market. Researchers have observed medical records trading at a premium compared with financial credentials because they are harder to invalidate and contain more useful personal detail per record. That reality should sharpen the urgency for every Australian healthcare provider to audit its controls now, not after a breach notification.

Start with identity. Enforce phishing-resistant MFA on every account with access to clinical systems, including vendor and contractor accounts. Segment clinical record databases from general administrative networks so that a compromised endpoint cannot become a direct pathway to patient files. Review patch currency on every system that touches patient data and establish an exception management process with hard deadlines for any system that cannot be patched immediately.

Human behaviour remains the most reliable entry point for attackers targeting any sector. Employees who recognise phishing attempts, who understand why credential sharing is dangerous, and who know how to report suspicious activity close the gap that technical controls alone cannot. Embedding that awareness systematically is what security-awareness training is designed to do, and healthcare staff interacting with patient data every day represent one of the highest-value training populations in any organisation.

The OAIC's guidance on the Notifiable Data Breaches scheme sets out minimum obligations, but minimum compliance is not the same as reasonable security. The difference between the two is where breaches happen. Healthcare boards and CISOs who want to understand what a proportionate controls framework looks like can start by mapping their current posture against the standards and frameworks that regulators and auditors expect to see.

How a breach like this could have been prevented

  • Enforce phishing-resistant multi-factor authentication on every account with access to clinical or patient record systems, including contractor and vendor accounts.
  • Segment clinical databases from general administrative networks so that a single compromised endpoint cannot provide direct access to patient files.
  • Train all staff who interact with patient data to recognise phishing attempts and credential-sharing risks, because human error remains the most reliable initial access vector in healthcare breaches.

Train2Secure offers role-based security-awareness training built for organisations that hold sensitive data, with modules your clinical and administrative staff can complete without disrupting patient care.

Start free, no card required

Frequently asked questions

What data was stolen in the Partnered Health breach?

The stolen data includes Medicare numbers, treatment histories and pathology results such as blood test outcomes. These records are particularly valuable to criminals because they cannot be changed the way a password can and contain enough personal detail to support identity fraud and fake insurance claims.

Which clinics and cities were affected?

Twenty-one clinics across Sydney, Melbourne and Canberra were affected. Any patient who visited one of those clinics and had records stored in Partnered Health's systems should assume their data may have been compromised.

What should affected patients do right now?

Monitor for unexpected Medicare correspondence or unfamiliar charges on health fund accounts. Report suspicious contact claiming to be from the clinic to Services Australia, which administers Medicare. You can also lodge a complaint with the Office of the Australian Information Commissioner if you believe you have not received adequate notification.

What are healthcare organisations legally required to do after a breach like this?

Under Australia's Privacy Act 1988 and the Notifiable Data Breaches scheme administered by the OAIC, organisations must notify both affected individuals and the OAIC when a breach is likely to cause serious harm. Medical record exposure almost always meets that threshold, and failure to notify on time can result in regulatory action.

Ready to Reduce Your Human Cyber Risk?

Sign up and start training your team in minutes. No sales calls, no demos — just pick a plan and go. Phishing simulations, video courses, and certificates from day one.

train2secure analytics dashboard showing training completion stats and user progress