Australian Health Clinics Waited 22 Days to Warn Patients After Hackers Stole Medical Records

Partnered Health, which operates more than 60 clinics across Australia, sat on a serious data theft for three weeks before telling anyone. Experts say that gap is long enough to cause real harm.

ThreatVectr Newsdesk· 3 min read
Photoreal editorial image, full frame 16:9, of a dimly lit call centre workstation at night: a headset resting on a keyboard, a blurred screen showing an abstra
Share

Key points

  • Partnered Health, an Australian company running more than 60 health clinics, confirmed hackers stole patient data from at least 21 of its facilities.
  • The company first discovered the breach on June 23 but did not notify the public or affected patients for 22 days.
  • Stolen records potentially included names, dates of birth, home addresses, Medicare numbers, treatment histories, and private notes written by doctors during consultations.
  • A cybersecurity lecturer at Deakin University described the 22-day delay as "not acceptable" and called for mandatory 48-hour disclosure rules for health providers.
  • Partnered Health obtained a court order, called an injunction, stopping anyone in Australia from publishing the stolen data, though legal experts say its practical protection is limited.

Hackers broke into systems at Partnered Health, a company that runs more than 60 medical clinics across Australia, and walked away with some of the most sensitive personal information a file can hold. Doctor's notes. Medicare numbers. Addresses. Treatment details. The kind of information patients share in confidence and expect to stay private.

The company says it first noticed the intrusion on June 23. It told the public 22 days later.

Could that three-week silence make things worse for patients?

Yes, according to Fariha Jaigirdar, a cybersecurity lecturer at Deakin University. She told ABC News Australia that criminals can act on stolen health data within hours, not weeks. Combine a name, address, and Medicare number, and you already have enough raw material to guess or reset passwords on other accounts. "It takes one day, or even hours," she said. "Obviously this is not acceptable."

Partnered Health's defence is that investigations take time. The company says it wanted a clear picture of which clinics were affected before making any public statement, to avoid causing confusion with incomplete information. That is not an unreasonable position on its face. In practice, 22 days is a long runway for criminals who already have the data.

The failure mode here is a familiar one. Health organisations collect extraordinarily sensitive records, get breached, and then treat notification as the final step in a tidy internal process rather than an urgent warning to the people most at risk.

Jaigirdar wants the law changed. She argues health providers should face a mandatory 48-hour disclosure window after discovering a breach, a rule that would force speed over polish in how companies communicate. Australia's Office of the Australian Information Commissioner received 1,205 data breach notifications in the most recent reporting year. Health providers filed more than 200 of those, making them the single largest source.

For patients, there is a knock-on problem beyond fraud. Christopher Rudge, a health law expert at the University of Sydney and himself a patient at one of the affected clinics, pointed to something harder to quantify: trust. If people worry that what they tell a doctor might end up exposed online, some will simply stop sharing. Or stop going at all. That silence has consequences for public health that no court injunction fixes.

Partnered Health did obtain an injunction preventing anyone in Australia from publishing the stolen material. Rudge is blunt about its value. Easy to get, low protection in practice, given how freely data moves across anonymous corners of the internet beyond any court's reach.

If you are a patient at a Partnered Health clinic, change your passwords now, especially on any account where you used your name, address, or a number tied to your identity. Watch your bank statements. Partnered Health has set up a support page for affected patients.

Operational takeaway: notification delay is not a communication strategy, it is a liability that compounds every hour the patient doesn't know to act.

© 2026 Threat Vectr