Expert Reaction
These comments have been collated by the Science Media Centre to provide a variety of expert perspectives on this issue. Feel free to use these quotes in your stories. Views expressed are the personal opinions of the experts named. They do not represent the views of the SMC or any other organisation unless specifically stated.
Mihai Lazarescu is an Associate Professor at Curtin University
"Incidents like this are severely underreported because the organisations that have been compromised do not know that a breach had already occurred.
This will be increasingly common as long as the same approach to cyber defence is used as in the past.
AI and the cloud model will not solve the problem - on the contrary, it will turn it into something that people cannot grasp yet.
There is not enough expertise available to effectively defend online organisations and this will be more clearly seen as time goes by.
In the next decade I expect this to be a problem that will move from being solvable to finally being treated as it should be – something to manage as best as possible while looking for alternative means of handling and storing personal identifiable medical data."
Dr Qiang Tang is an Associate Professor in the School of Computer Science at The University of Sydney
"The Partnered Health breach is part of a deeply troubling pattern. Health service providers now account for a large share of data breach notifications in Australia, and this incident is a stark reminder of why.
The instinct after a breach is to ask how attackers got in. But that is the wrong question. Whether the entry point was a phishing email, a compromised credential, or an unpatched vulnerability, the outcome is the same: patient data walked out in a form that was immediately usable. Consultation notes, referral letters, pathology results, medicare details, all exposed in plaintext.
The right question is what happens to data once the perimeter fails. End-to-end protection at the data layer is the answer. Patient records should be encrypted properly at the point of creation and remain protected through storage, sharing between clinics, and collaboration with specialists readable only by authorised parties at the point of use.
This protects patient privacy, but also ensures any tampering with clinical records is immediately detectable, making it a patient safety measure and not just a legal compliance one.
The research and tools to achieve this are maturing. But the gap is not only technical. Closing it requires regulatory mandate, genuine industry awareness of what is now possible, and a shift in how healthcare organisations think about data protection across the entire lifecycle of patient information."
Dr Christopher Rudge is a Lecturer in Health Law from the Sydney Law School and Deputy Director of Sydney Health Law at The University of Sydney
"Health providers are the most frequently breached sector in Australia. Last year the Office of the Australian Information Commissioner received a record number of data breach notifications, with health providers being the largest single source. The present attack has the familiar features of the now common health data breach: a network holds sensitive records, an intruder takes them, and their release online is held out as a threat.
Partnered Health has said that it has "sought legal orders to protect" the data. In practice that likely means an injunction restraining any person from using or publishing it, like that which Genea Fertility obtained last year. But an injunction restrains only further disclosure. It does not undo the theft, nor compensate the patients whose records have been taken.
Redress is therefore difficult. The new statutory tort is directed to a serious invasion of the privacy of one individual. It is not for a breach that affects thousands at once. A patient whose data is circulated has, in practice, two avenues: a complaint to the privacy regulator, or an action for breach of confidence. Neither is designed to compensate harm on this scale.
A further concern is to trust. General practice depends upon patients' confidence that what they tell a doctor remains private. Each breach diminishes that confidence. Some patients may now reconsider what they disclose, and some where they seek care."
Professor David Parry is a Professor of Computer Science at Murdoch University and a Fellow at the Australasian Institute of Digital Health
"This is a very distressing, criminal attack on the people affected.
The main action for victims now is to remain careful about your personal 'cyber-hygiene' and be on the look out for unexpected or suspicious-looking communications that appear to have knowledge about you - https://www.scamwatch.gov.au/ is a very good source of advice.
Another important message is not to be embarrassed if you think you may have been scammed – it happens to lots of people and its not your fault that people do these things – report it and take action straight away.
Systems with two factor authentication and that use approaches like something you have (phone), AND something you know (password) AND possibly something you are, e.g. face recognition, give a high level of protection.
Without any inside information there are some points I’d like to make:
1) The involvement of Australian Cyber Security Centre is very good. In cases across the world state actors have tried to access medical information about politicians etc. for leverage and it’s a priority for the security services to prevent this I don’t see any evidence that this is happening here, this looks more opportunistic given the current reports.
2) Given that the reports say that it appears to be multiple systems at different times, this looks like an attack where the attackers discovered a known vulnerability or 'got lucky' with some sort of phishing or other social engineering attack, rather than a targeted attack.
3) You can’t tell the level of sophistication of the attackers from these reports, but the fact it has been discovered probably means this s at the lower end of the sophistication scale. Unfortunately, scripts and tools for attacks are available for sale on the dark web etc., and some hacking groups basically 'hack for hire'.
4) The data is not being held from the owners and denied to the health provider, this has happened in health systems before (ransom attacks) which is even more disruptive and dangerous. Alteration of data is relatively difficult to do and this doesn’t seem to have happened.
5) There may be good reasons for the apparent delay in report to patients (eg investigations taking place etc.). This will come out in the investigation, but normally a quick announcement is best.
6) Of course, the most dangerous breach is when the victims don’t know that their data has been stolen, so adopt routine 'cyber-hygiene'!
Unfortunately, these sorts of attacks are relatively common. World-wide UN estimates suggest a third of health institutions worldwide have had such attacks (https://news.un.org/en/story/2024/11/1156751) and US figures say losses due to cyberattacks are over $13Bn USD/year.
Health systems are complex and many providers are quite small – like this one – so don’t have large security teams. It would be very helpful if the Government and health organisations and professional bodies got together to not only produce guidelines for safe working but establish practical methods for audit and securing of health systems – this is a patient safety issue. Just as we have a network of building inspectors etc. who assesses whether lifts etc.in hospitals are safe and can refer issues to licenced contractors, I think a similar system would be useful for cybersecurity in healthcare."
Dr Fariha Tasmin Jaigirdar is a lecturer in cybersecurity at Deakin University
"Medical records sit at the highest tier of data sensitivity and this breach potentially exposes not just names and Medicare numbers, but consultation notes and pathology results. That is a person's most intimate story. What troubles me is that after Medibank, we should have learned. Yet here we are again, which means we must think far more deeply about the overall network architecture, where the holes are, whether clinical systems are properly segmented, and whether detection reaches every endpoint. This incident gives me the feeling of data not being 'monitored' or even 'not being diagnosed at every step of data propagation' from the security control perspectives.
The 22-day delay in telling patients is not acceptable. The scary part that I can think of is generally individuals build passwords and usernames from familiar combinations, such as names, dates of birth, medicare numbers, addresses so that they can remember those easily without the trouble of writing those down somewhere. It is quite possible that they use the same usernames and passwords for other systems they access, such as their banking system, mortgage payments, or superannuation accounts. Every day of silence, therefore, is a token of help to attackers working through exactly those combinations. Patients needed to know immediately so they could take extra caution with their data. From a company that claims to be Australia's most trusted provider of primary healthcare, that delay undermines the very trust it trades on.
This is ultimately about regulation: patients have a right to know promptly when their health data is compromised and our disclosure laws must make that right real."
Toby Murray is a Professor in the School of Computing and Information Systems at The University of Melbourne
"This incident is a timely reminder about the dangers of centralising sensitive information into large systems.
This incident breached a large network of GP health clinics. Whenever businesses store sensitive information in a common computer system, such as the kind of cloud-based storage systems that might have underpinned the operation of Partnered Health’s various clinics, there is a risk that if the system is breached that many individuals will be affected.
Operators of large businesses with sites that span many locations should set up their IT so that each site can access only the information that it needs, with careful processes established for when information needs to be shared between sites to ensure that only what needs to be shared is shared and with only the people who need to access it."
Dr Jacqueline Boaks is the Curriculum Lead for the Centre for Applied Ethics at Curtin University
“Health data is some of the most sensitive and private data any of us have. Leaking of this risks not only privacy violations but other serious harms including discrimination. Exposure of health data is exactly the kind of case that shows that to maintain a social licence, data centres need to ensure that they have the highest level of protections.
Guardrails and regulations in this area need to require that companies keep up to date with the ever-evolving best practice and state-of-the-art protections and known threats. Just as industries and professions such as health, law, and teaching must avoid negligence by keeping up to date with the required levels of protections and duty of care, we need to think about what practice standards we hold those who keep our data to.”
Dr Rahat Masood is a Senior Lecturer in Cyber Security at UNSW Sydney
"This incident is another reminder that healthcare organisations remain prime targets for cybercriminals because they store highly sensitive personal and medical information. We have seen similar attacks on healthcare providers in Australia and overseas over recent years, still they continue to demonstrate that cybersecurity must be treated as a patient safety issue, not just an IT issue.
My biggest concern is the long-term impact on affected patients. Unlike passwords, medical records cannot simply be changed. Stolen health information can be used for identity fraud, highly targeted phishing scams, and other forms of exploitation for years to come. Patients should be particularly cautious of unexpected emails, text messages or phone calls claiming to be from healthcare providers or government agencies, especially if they request personal information or payments.
From my perspective, the key lesson from previous incidents is that healthcare organisations need to assume cyberattacks will happen and focus equally on prevention, rapid detection and effective response. Strong security controls, including multi-factor authentication, continuous monitoring, regular [software] patching, staff awareness and well-rehearsed incident response plans, are essential to minimise the impact of these attacks and maintain public trust."
Professor Matthew Warren is the Director of the RMIT University Centre for Cyber Security Research and Innovation at RMIT University
“Smaller Health Care operators are at risk of cyber incidents due to the sensitive personal information they hold, but they may not have the cyber capabilities to protect against cyber attacks.
Attackers are keen to obtain personally identifiable information such as people's personal details or Medicare care details that they can use in subsequent scams.
The key concern is that patients' medical information and treatment details could have been taken in the hack, which is a real concern, especially if all the hacked information ends up on the Darknet”