Patients of one of Australia’s largest healthcare groups have had their medical records exposed in a security incident affecting multiple clinics.

Partnered Health, which runs more than 60 clinics across Australia, said it became aware of a malicious actor having accessed some of its data on 23 June.

“Our investigations to date have confirmed that personal information – including health information – was taken from some of the clinics in our network,” wrote Partnered Health.

The company affirmed that 21 of its clinics – including in NSW, Victoria, Queensland, and Canberra — may have been affected.

The affected clinics include:

  • Blackburn Road Medical Centre
  • Broadway General Practice
  • Bundall Medical Centre
  • Cardiff Medical Centre & Skin Cancer Clinic
  • Castle Hill Family Doctors
  • Champion Drive Medical Centre
  • Chancellor Park Family Medical Practice
  • Dromana Family Doctors
  • Dural Medical Centre
  • Joondalup City Medical Group
  • Kealba Family Practice
  • Mornington Family Doctors
  • Noosaville Seven Day Medical Centre
  • North Canberra Family Practice
  • Park Beach Family Practice
  • Park Orchards Family Practice
  • Rockingham City Family Practice
  • Sans Souci Medical Practice
  • Templestowe District Medical Centre
  • Wentworth Avenue Family Practice
  • Wyong Family Practice

In addition to names and personal contact details, Information Age understands the data breach has impacted a range of sensitive medical data, including Medicare numbers and diagnostic results.

In a website post released Wednesday, Partnered Health said it was communicating with patients from impacted clinics.

The company has reported the breach to law enforcement, the Office of the Australian Information Commissioner, and the Australian Cyber Security Centre.

“We are continuing to work with the authorities,” said Partnered Health.

What information is affected?

Partnered Health explained the incident may have affected personal information that staff collected while providing patients with healthcare services.

This may have included names, dates of birth, addresses and contact details.

Impacted medical details may have included Medicare numbers and, where applicable, private health insurance, Veteran Card (DVA) numbers, or concession card numbers.

In addition, consultation notes, referral letters, and pathology or diagnostic results recorded by GPs or other medical professionals across the company’s clinics, may have also been taken.

Notably, the company said it does “not currently know” the extent of personal information that has been impacted.

While the company has confirmed information may have been stolen for 16 clinics, investigators are still working to determine whether five clinics, including some in Western Australia, have had details stolen.

Information Age understands patients for these five clinics have still received “precautionary” SMS and email messages to inform them of the incident.

Partnered Health has reported the incident to Services Australia so “additional monitoring” can be placed on impacted Medicare cards.

Is it ransomware?

At the time of writing, Information Age has not located any leaked Partnered Health records on the dark web or underground hacking forums.

Partnered Health said it engaged “specialist cyber experts to provide advice” in late June and took immediate steps to contain the incident.

Information Age has asked whether the company has received any ransom demands in relation to the incident, but did not receive a response prior to publication.

The company was also asked how the underlying security incident may have occurred.

Partnered Health acquires injunction, but will hackers care?

Partnered Health said it had acquired an interim injunction to “help protect our patients and people”.

Granted by the Supreme Court of New South Wales, the injunction effectively orders that the illegitimately accessed data is not used or published by unauthorised parties.

Jamieson O'Reilly, white hat hacker and founder of information security company Dvuln, said those who took the data are “almost certainly” offshore in jurisdictions that will “never enforce an Australian court order”.

“An injunction is absolutely not going to stop these criminals sharing or weaponising this data,” O’Reilly told Information Age

He said while injunctions can weaken a cybercriminal’s ability to leverage media coverage in potential ransom negotiations, they largely leave adversaries “unaffected”.

“In addition, injunctions can actually make life harder on the defenders' side,” he said.

“When you're trying to help affected people, you often need to collect and analyse the data yourself after it gets released by these cybercrime gangs to work out exactly who was hit and what was exposed, so you can get the right information to the right parties.”

Among other safety actions, Partnered Health has recommended people exercise basic scam safety steps such as being alert to suspicious contacts and avoiding links or attachments that look “unusual or unexpected”.

“As a health services provider, we know our patients and our people trust us with personal and medical information,” wrote Partnered Health.

“We sincerely apologise for any concern and inconvenience this may cause them.”