Hackers Hit 21 Australian Health Clinics, Putting Medicare Numbers and Test Results at Risk

Partnered Health confirmed a data breach on 23 June that reached patient files across Sydney, Melbourne and Canberra. Experts warn the stolen records could surface for sale on hidden online marketplaces.

ThreatVectr Newsdesk· 2 min read
Photoreal editorial shot of a generic discount supermarket storefront at dusk in a European city, warm interior light glowing through glass doors, empty shoppin
Share

Key points

  • A "malicious actor" broke into Partnered Health's systems on 23 June, the company confirmed.
  • 21 clinics across Sydney, Melbourne and Canberra were affected.
  • Stolen data includes Medicare numbers, treatment details and pathology (laboratory test) results.
  • Experts warn the records could be sold on dark-web markets, which are hidden online spaces criminals use to trade stolen information.
  • Partnered Health is one of Australia's largest healthcare providers.

A criminal broke into the computer systems of Partnered Health, one of Australia's biggest healthcare companies, and walked out with some of the most sensitive personal information that exists: Medicare numbers, treatment histories and pathology results, meaning the results of blood tests and other laboratory work.

The company confirmed the attack happened on 23 June. Twenty-one clinics across Sydney, Melbourne and Canberra were affected.

Could stolen medical records end up for sale?

Yes, according to cybersecurity experts cited by Guardian Australia. The records could appear on dark-web markets, which are hidden parts of the internet that ordinary browsers cannot reach, where criminals buy and sell stolen data.

Medical records are especially valuable to criminals. They contain enough personal detail to open fraudulent accounts, make fake insurance claims, or impersonate a patient. Unlike a password, you cannot simply change your Medicare number.

Partnered Health used the phrase "malicious actor" in its disclosure, which is standard corporate language for an outside criminal or group that deliberately broke in. The company has not named a specific group or method.

The breach touches a wide range of people. Anyone who visited one of the 21 affected clinics and had records stored there should assume their information may have been taken.

If you are a patient at one of those clinics, watch for unexpected letters or calls from Medicare, unfamiliar charges on any health-related accounts, or anyone contacting you claiming to be from the clinic and asking for further personal details. Report anything suspicious to Services Australia, which runs the Medicare program.

Organisations that hold medical data face strict obligations under the Australian Privacy Act, which requires them to notify affected individuals and the Office of the Australian Information Commissioner when a data breach is likely to cause serious harm. Whether Partnered Health has satisfied those notification requirements, and on what timeline, is a question the regulator will likely examine closely.

The incident also arrives as Australia's broader healthcare sector faces rising scrutiny over data security, following several high-profile breaches in recent years. Regulators and policymakers have repeatedly pointed to healthcare as a sector that holds extremely sensitive data but has historically under-invested in protecting it.

© 2026 Threat Vectr