
TLDR
Partnered Health confirmed on 15 July 2026 that a malicious actor accessed patient data across 21 of its GP clinics in NSW, Victoria, Queensland, WA and the ACT after the attack was discovered on 23 June 2026. Exposed records may include Medicare numbers, DVA and concession card details, consultation notes, referral letters and pathology results. Partnered Health reported the breach to the ACSC, the OAIC and law enforcement, and secured a Supreme Court injunction barring use or publication of the stolen data. The incident adds to a mounting pattern of cyberattacks on Australian healthcare providers, where sensitive patient data remains a high-value target.
KEY TAKEAWAYS
The breach: what happened and when
Partnered Health became aware on 23 June 2026 that a malicious actor had accessed some of its dataverifiedVerified Source: partneredhealth.com.au, triggering an immediate response that included engaging specialist cyber experts to contain the incident and assess its full scope.[1] The company publicly confirmed the attack on 15 July 2026.
Partnered Health said in an official statement: "On 23 June 2026, Partnered Health became aware that a malicious actor accessed some of our data."[1] Investigations were launched in parallel with containment work and remain ongoing.
Which clinics and patients are affected
The breach affected 21 clinics across New South Wales, Victoria, Queensland, Western Australia and the Australian Capital TerritoryverifiedVerified Source: partneredhealth.com.au, out of a network of more than 60 GP practices operated by Partnered Health.[1] Partnered Health said it is communicating directly with patients from the affected clinics.
Partnered Health said: "Our investigations to date have confirmed that personal information (including health information) was taken from some of the clinics in our network. We are continuing to investigate the extent to which personal information has been impacted by this incident and are communicating with patients from impacted clinics."[1] Patients who have not been contacted but believe they may be affected are encouraged to check the company's dedicated incident page.
What data was exposed
Partnered Health confirmed that affected data may include names, dates of birth, addresses and contact details; Medicare numbers; private health insurance details; Veteran Card (DVA) or concession card numbers; and medical information such as consultation notes, referral letters, and pathology or diagnostic results.[1] The combination of government identifier numbers and detailed clinical records raises the risk of identity fraud and targeted phishing well beyond what a standard financial data breach would present.
Australia's Notifiable Data Breaches scheme recorded 1,205 notifications in 2025, with malicious cyber incidents accounting for 63 per cent of all eligible breaches. Healthcare providers consistently rank among the most targeted sectors because of the value of patient records.
Regulators, law enforcement and the court injunction
Partnered Health reported the incident to the Australian Cyber Security Centre, the Office of the Australian Information Commissioner and law enforcement.[1] Notification to the OAIC satisfies the company's obligations under the Notifiable Data Breaches scheme established by the Privacy Act 1988, which requires health service providers to notify both affected individuals and the regulator as soon as practicable after a qualifying breach.
Partnered Health obtained an interim injunction from the Supreme Court of New South Wales ordering that the accessed data is not used or publishedverifiedVerified Source: partneredhealth.com.au.[1] The injunction is a civil remedy intended to limit downstream harm if the stolen records were circulated or sold, though enforcement against anonymous offshore threat actors remains a practical limitation of any such order.
How affected patients can check their status
Partnered Health said it is directly contacting patients from the 21 impacted clinics.[1] Patients who attended any of these clinics and want to confirm whether their records were accessed should visit the company's official incident page at partneredhealth.com.au and use any dedicated contact mechanism the company has established there.
Security practitioners routinely advise patients caught in health data breaches to place alerts on their credit files with the major credit reporting bureaux, watch for unusual Medicare or DVA activity, be alert to unsolicited contact from people citing personal medical details, and enable multi-factor authentication on any health portal accounts. Anyone who suspects their Medicare number is being misused can report it to Services Australia.
Australia's mounting healthcare breach record
The Partnered Health incident follows a series of high-profile attacks on Australian health organisations. The 2022 Medibank breach exposed records belonging to 9.7 million policyholders, and the ManageMyHealth breach disclosed on 30 December 2025 struck multiple general practice networks, highlighting that GP clinic data systems carry systemic vulnerabilities that threat actors are actively targeting.
The Partnered Health network spans more than 60 practices nationally, making the confirmed 21-clinic figure a significant subset of its operations. Partnered Health said its investigation into the full extent of the data exposure was still continuing as of 15 July 2026.[1]
SOURCES & CITATIONS
FREQUENTLY ASKED QUESTIONS
When did the Partnered Health cyberattack occur?
Which states are the affected clinics in?
What patient information was exposed in the breach?
What has Partnered Health done in response?
How can I find out if my records were accessed?

Caleb Reed covers breaking news and sport for Bushletter. Fast and verb-led, he writes with a news-wire cadence and no patience for PR spin.



