A major cyber-attack on Partnered Health, one of Australia's largest healthcare providers, has left sensitive patient information vulnerable to exploitation. The breach, which occurred on 23 June, compromised medical records from 21 clinics across major cities including Sydney, Melbourne, and Canberra, potentially putting millions at risk.
The stolen data is comprehensive, encompassing Medicare numbers, private health insurance details, full names, dates of birth, residential addresses, and critical medical information such as treatment details, consultation notes, referral letters, and pathology or diagnostic results. While Partnered Health has informed affected patients and stakeholders, the exact number of individuals impacted remains unclear, with patient interests cited as a reason for not disclosing further information.
Despite obtaining an interim injunction from the New South Wales supreme court to prevent the data's use or publication, experts warn that its effectiveness is limited. Dr. Suelette Dreyfus, a senior lecturer in information systems at the University of Melbourne, cautions that while the injunction might deter publication on regular websites, it is unlikely to stop the data from being traded on the hidden market and dark web, where medical information can fetch up to US$250 per record.
The implications of this breach are profound, with Dr. Dreyfus highlighting the risk of combining stolen medical data with other datasets to create highly detailed and potentially dangerous personal profiles. For individuals with long-term medical conditions, the risks to privacy and personal life could be substantial. Unlike financial data breaches where changing passwords and credit cards can mitigate damage, altering one's medical history after it has been compromised is virtually impossible.
This incident serves as a stark reminder of Australia's ongoing struggle with cybersecurity vulnerabilities in its healthcare systems. The country has experienced several high-profile breaches in recent years, including the 2022 Medibank breach where 9.7 million customer details were published online and a 2019 report by the Victorian auditor general exposing weaknesses in hospital cybersecurity. In response, calls are growing for increased practical cybersecurity training, public awareness, and research to bolster defences against such attacks.