Partnered Health cyber attack stole GP medical records
Partnered Health cyber attack stole medical and personal data from clinics in its GP network, prompting notices to patients, the ACSC and OAIC.

Partnered Health said a 23 June cyber attack stole medical records and personal details from patients at clinics in its Australian GP network. The company has described the breach in careful terms: unauthorised access, data taken from some clinics, and an investigation still trying to identify every affected patient. It has not said whether all affected patients have been contacted.
According to ABC News, investigators confirmed that personal information, including health information, was removed from parts of the network. ABC reported Partnered Health operates 57 clinics nationally and believes 16 facilities were affected.
Health data changes the usual breach calculus. A GP file can join identity details, contact information, Medicare or billing material and clinical history in one record. A patient can cancel a card or reset a password; a consultation note cannot be replaced in the same way. The practical risk is broader, too: stolen health information can expose family relationships, prescriptions, diagnoses or appointment histories that patients did not expect to share outside a clinic. The company has not publicly named an attacker or explained how the intrusion happened, and it has not given a total number of records stolen.
“Our investigations to date have confirmed that personal information, including health information, was taken from some of the clinics in our network.”
Partnered Health, via ABC News
Partnered Health said it had obtained an interim injunction from the Supreme Court of New South Wales ordering that the accessed data not be used or published. That step does not undo access to the material, but it gives the company a legal mechanism to push back if the data is used or published while forensic work continues.
Regulators have also been brought in. The company said it notified the Australian Cyber Security Centre and the Office of the Australian Information Commissioner, putting the breach before the federal cyber agency and the national privacy regulator. The OAIC role matters because health information is among the categories of personal information that usually carries the highest risk for affected people. For patients, the next useful update is likely to be specific: whether their clinic was in scope and what category of information was copied.
The clinic tally was still uneven on Wednesday. SBS News said 21 clinics across several Australian cities were affected, higher than the 16 facilities cited by ABC. SBS also reported Partnered Health’s wider services reach more than five million people nationally. The difference between 16 and 21 clinics may reflect investigators separating directly compromised sites from clinics caught up in the broader response.
In a statement carried by SBS, Partnered Health apologised to patients and staff.
“As a health services provider, we know our patients and our people trust us with personal and medical information, and we sincerely apologise for any concern and inconvenience this may cause them.”
Partnered Health, via SBS News
For patients, the unanswered questions are practical rather than abstract. Partnered Health has confirmed the attack date, the kinds of information taken and the regulators it has notified. It has not said whether the data has been published, who was behind the intrusion, or when each affected patient will receive a final account of what was in their file.
Reza Khalil
Cybersecurity reporter covering breaches, threat intel, and the ACSC beat. Former incident responder. Reports from Canberra.


