Partnered Health Waited 22 Days to Tell Patients Hackers Stole Their Medical Records
An Australian clinic operator discovered a serious data theft on June 23 and stayed silent for three weeks. Cybersecurity experts say that gap gave criminals a dangerous head start.

Partnered Health, the Australian company running more than 60 medical clinics, confirmed in mid-July 2025 that hackers had stolen patient records from at least 21 of its facilities, and that it had known about the breach for 22 days before saying anything publicly.
What Was Stolen
The records taken were not generic contact details. Attackers obtained a combination of full names, dates of birth, home addresses, Medicare numbers, clinical treatment histories, and private notes doctors wrote during patient consultations. That last category matters most. Consultation notes are among the most intimate records a health system holds: they capture what patients say privately, in a room where they believe the information goes nowhere else.
Combine a name, address, and a Medicare number, and a criminal has enough to probe account-recovery systems, answer security questions, or impersonate a patient to a government service. The damage is not hypothetical.
The 22-Day Window
Partnered Health says it discovered the intrusion on June 23. The company's stated reason for the delay was methodical: it wanted to identify exactly which clinics were affected before making a public statement, so patients would receive accurate, clinic-specific information rather than a vague alarm.
That rationale is understandable in theory. In practice, it misunderstands who the delay helps.
Fariha Jaigirdar, a cybersecurity lecturer at Deakin University, put it plainly. "It takes one day, or even hours," she said, explaining how quickly criminals can act on stolen health records. "Obviously this is not acceptable." Criminals do not wait for an organisation's internal investigation to close before they start monetising what they took.
Jaigirdar has called for Australian law to mandate a 48-hour breach disclosure window specifically for health providers, a hard deadline that would force organisations to prioritise warning patients over polishing their communications. Australia's Office of the Australian Information Commissioner recorded 1,205 data breach notifications in its most recent annual reporting period. Health providers submitted more than 200 of those, making the sector the single largest contributor to the total. The frequency is not a coincidence: health records contain dense concentrations of personally identifiable information, making them high-value targets.
The Trust Problem Courts Cannot Solve
Christopher Rudge, a health law expert at the University of Sydney and a patient at one of the affected clinics himself, raised a concern that extends beyond fraud. When patients fear their most private disclosures could be exposed, some stop sharing fully with their doctors. Some stop attending at all. That behavioural shift is difficult to measure and impossible to compensate for with a court order.
Partnered Health did obtain an injunction prohibiting anyone in Australia from publishing the stolen data. Rudge described its practical protection as limited. Data shared across anonymous international networks does not respect the jurisdiction of any domestic court.
Which Controls Failed Here
The breach itself illustrates a pattern that the Verizon Data Breach Investigations Report has documented consistently: health organisations are repeatedly targeted because they hold rich personal data but often carry authentication and network segmentation gaps that more security-mature sectors have already addressed. Without public disclosure of the specific attack vector, the entry point remains unconfirmed. What is confirmed is the organisational failure that followed discovery.
Notification delay is itself a control failure, not simply a communications choice. Australia's Privacy Act requires organisations to notify affected individuals "as soon as practicable" after a breach is assessed as likely to cause serious harm. Twenty-two days is difficult to defend under that standard, and Jaigirdar's push for a fixed 48-hour rule reflects where international regulators are moving. The EU's General Data Protection Regulation already requires notification to supervisory authorities within 72 hours of becoming aware of a breach.
For defenders watching this case, the lesson is structural. Build your incident response plan so that patient notification is a parallel workstream, not the final step. Accurate-but-slow communication is not better than prompt-but-partial. Patients need time to act. Every hour of internal silence is an hour they cannot spend changing passwords, monitoring accounts, or contacting Medicare.
Employee awareness is a direct line of defence here too. When staff recognise phishing attempts, report anomalies promptly, and understand exactly what data they handle, the window between attacker access and defender response shrinks. Organisations that invest in structured security-awareness training build the internal reflex to treat a detected anomaly as urgent rather than administrative.
What Affected Patients Should Do Now
Partnered Health has established a support page for affected patients. If you attended any Partnered Health clinic and are unsure whether your records were involved, treat yourself as affected until you hear otherwise.
- Change passwords on any account that uses information tied to your identity: name, date of birth, address, or numbers you have shared with a health provider.
- Review recent Medicare and banking activity for anything unfamiliar.
- Consider placing a credit alert with a major credit reporting body.
- Do not respond to unexpected calls or emails claiming to be from Partnered Health or Medicare until you verify the contact through official channels.
The injunction Partnered Health obtained may slow some local exposure. It will not stop data that has already moved beyond Australian jurisdiction. The practical protection available to patients is the action they take themselves, starting now.
How a faster internal response could have protected patients
- Build notification into your incident response plan as a parallel workstream, not the final step, so patients can act while your investigation is still running.
- Train staff to recognise and report anomalies immediately. The faster an intrusion is detected and escalated, the shorter the window attackers have to exfiltrate records.
- Audit the personal data your organisation holds and apply least-privilege access so a single compromised account cannot reach records across dozens of facilities.
Train2Secure's security-awareness programmes help clinical and administrative staff build the habits that compress attacker dwell time and keep patient data safer.
Start free, no card requiredSources & further reading
Frequently asked questions
What information did hackers steal from Partnered Health?
Attackers obtained patient names, dates of birth, home addresses, Medicare numbers, treatment histories, and private clinical notes written by doctors during consultations across at least 21 clinics.
Why did Partnered Health wait 22 days before notifying patients?
The company says it needed time to confirm which clinics were affected so it could give patients accurate, specific information. Cybersecurity experts argue that delay gave criminals an unacceptable head start and may conflict with Australia's Privacy Act requirement to notify as soon as practicable.
Does the court injunction protect affected patients?
Only partially, and in practice very little. The injunction stops publication of stolen data within Australian jurisdiction, but data shared on international or anonymous networks is effectively beyond the reach of any domestic court order.
What should patients at Partnered Health clinics do right now?
Change passwords on any account linked to your personal details, monitor your Medicare and bank records for unusual activity, and contact Partnered Health's support page for breach-specific guidance. Treat yourself as affected unless confirmed otherwise.



