Partnered Health, a network of over 50 GP and skin-cancer clinics across Australia, confirmed on July 15, 2026, that cyberattackers stole patient medical records—including GP consultation notes, referrals, and pathology results—from at least 16 of its clinics. The data was accessed during a malicious intrusion first detected on June 23, meaning the attackers had a three-week head start before patient notifications began.
More than just names and addresses, the stolen files contain uniquely sensitive information that can be used to craft sophisticated scams, commit identity fraud, and potentially interfere with a person’s healthcare. For anyone who visited a Partnered Health clinic in the past, the next few weeks call for caution and deliberate steps to safeguard your identity.
What Was Stolen
The breach didn’t just skim contact details. Partnered Health disclosed that the following categories of information were potentially accessed and removed from its systems:
- Names, dates of birth, addresses, phone numbers, and email addresses
- Medicare numbers and private health insurance details
- Concession card information
- Clinical records: GP consultation notes, referral letters, and pathology / diagnostic results
ABC News reported that 16 clinics have been identified as locations where records may have been taken. Five more sites—in Western Australia and Victoria—remain under investigation, meaning the total could grow beyond the initial 16. Cities with confirmed affected clinics include Melbourne, Sydney, Canberra, the Gold Coast, Sunshine Coast, and Coffs Harbour.
The provider says it became aware of the malicious activity on June 23, but patients only started receiving SMS notifications on July 15, according to EFTM. That 22-day gap, Partnered Health explained, was spent conducting forensic analysis to determine the scope before alerting individuals—a standard but frustrating period for those now wondering whether their medical history is in the open.
Who Is Affected
If you received an SMS or email from Partnered Health about this incident, your data was likely caught up in the breach. The company is notifying impacted individuals directly as its investigation progresses. If you haven’t been contacted but visited one of the clinics in the affected cities, remain vigilant: the five sites still under scrutiny mean the list could expand.
Patients who haven’t visited a Partnered Health clinic are not directly affected by this incident. However, the nature of the stolen data—specifically, Medicare details—means that even non-patients should watch for fraudulent Medicare or health-related scams in the coming months, as criminals often blend real and fake information to appear credible.
Why This Breach Is Different
Personal information breaches are common. But when a criminal holds both your identity documents and your detailed medical history, the threat multiplies. Here’s why that mix is so dangerous:
- Convincing impersonation: A phishing email can reference a real recent blood test or referral, making it easy to trick you into handing over more data or clicking a malicious link.
- Permanent exposure: Unlike a password or credit card number, your medical history cannot be changed. A diagnosis, medication list, or consultation note remains valid and sensitive forever.
- Insurance and billing fraud: With Medicare numbers and health insurance details, attackers could submit false claims, potentially disrupting your coverage or benefits.
- Targeting the vulnerable: Patients with specific chronic conditions or recent serious diagnoses could be singled out for medical scams, fake treatment offers, or blackmail.
Partnered Health has obtained an interim injunction from the Supreme Court of New South Wales to prevent the use or publication of the stolen data. While this can deter legal entities within Australia, it cannot force anonymous attackers overseas to delete the files or stop them from being sold on dark-web forums.
What You Should Do Now
If you’re a patient of Partnered Health—or even if you’re not but want to harden your defenses—take these steps immediately:
-
Verify any communication claiming to be from Partnered Health.
Do not click links in SMS or emails. Instead, visit the official Partnered Health website (type the URL yourself) or call your clinic directly using a phone number you find independently—not one provided in a suspicious message. -
Monitor your Medicare and health insurance activity.
Check your Medicare claims history via myGov or the Express Plus Medicare app. Look for services you didn’t receive. Contact Services Australia immediately if you see anything suspicious. -
Be alert to targeted phishing.
Expect a rise in highly personalized scams—fake appointment reminders, “unusual activity” alerts on your health account, or calls from people who know your recent medical history. Do not give out personal details over the phone unless you initiated the call. -
Consider placing a credit ban or subscribing to identity monitoring.
While health data isn’t directly used for credit applications, the identity documents stolen here could enable financial fraud. Australia’s major credit bureaus (Equifax, Experian, illion) allow you to request a short-term credit ban, making it harder for fraudsters to open accounts in your name. -
Request a new Medicare card if you have been notified.
If Partnered Health explicitly confirms your Medicare number was compromised, contact Services Australia to have your card re-issued. Be aware that you’ll need to update your number with your GP and other providers. -
Review your digital hygiene.
Use strong, unique passwords for your myGov and health insurance accounts, and turn on multi-factor authentication wherever possible.
If you manage IT for a healthcare clinic—especially one using shared workstations or remote access—this incident is a stark reminder: segment clinical-record systems from general office networks, enforce phishing-resistant MFA, and ensure endpoint detection covers every PC, including reception desks. Logs must be retained long enough to reconstruct access weeks later.
The Bigger Picture: Healthcare Under Siege
Australia’s health sector has become a prime target for cybercriminals. The Office of the Australian Information Commissioner (OAIC) reported 1,205 data breach notifications in 2025—the highest since the Notifiable Data Breaches scheme began in 2018. Health service providers led all sectors, accounting for 225 notifications (19% of the annual total), with malicious or criminal attacks driving the trend.
These figures explain why Partnered Health’s breach drew rapid engagement from the Australian Cyber Security Centre, law enforcement, and Services Australia. The involvement of Services Australia is especially notable because Medicare identifiers are now in criminal hands.
Adding complexity, Bupa announced an agreement to acquire Partnered Health Group from Quadrant Private Equity just weeks before the breach was discovered. There is no evidence the transaction caused the incident, but it raises questions about cyber due diligence and the condition of technology estates before integration. For Bupa, if the deal proceeds, a thorough security audit will be critical before linking Partnered Health’s systems into a larger healthcare network.
What Partnered Health Needs to Do Next
For patients, the most pressing unknowns remain the true number of affected individuals, the specific clinics involved, and whether the attacker still has a foothold in any system. Partnered Health has not disclosed how the intrusion occurred, whether ransomware was involved, or if clinical operations were disrupted. Those details matter, because they signal whether the risk has been fully contained.
A transparent update—at least confirming the remediation steps taken and the final tally of affected patients—will go a long way toward rebuilding trust. Until then, affected patients should assume any message that references real medical or Medicare details is potentially fraudulent.
Outlook
Expect Partnered Health to release further details in the coming days as forensic work concludes. Regulators will likely scrutinise the 22-day notification delay and the security controls in place at the time of the attack. For patients, the practical work is personal: verifying facts, hardening accounts, and approaching every unsolicited contact with healthy skepticism. In an era where a GP visit can become a lasting digital vulnerability, caution is the only cure.