Patients at 21 Partnered Health medical centres across four states and the ACT are learning by text message that their records were taken in a cyberattack the company detected on June 23 and publicly disclosed on Wednesday night, 22 days later.

The company's statement lists what was accessed: names, dates of birth, addresses and contact details, Medicare numbers, private health insurance, veteran and concession card numbers, and medical information including consultation notes, referral letters and pathology or diagnostic results. Sixteen of the 21 clinics are confirmed to have had data taken. Five more, in Western Australia and Victoria, remain under investigation.

Our investigations to date have confirmed that personal information (including health information) was taken from some of the clinics in our network," the company said. It has not said how many patients are affected. Australian Associated Press reported the exposed records number in the thousands.

Partnered Health says it reported the incident to the Australian Cyber Security Centre, the privacy regulator and law enforcement, and it has obtained an interim injunction from the Supreme Court of NSW ordering that the data not be used or published. IVF provider Genea used the same device after its 2025 breach. Injunctions of this kind bind media outlets as well as the attackers, and the company has not disclosed when the order was granted.

The breach arrived mid-sale. Quadrant Private Equity agreed on June 18 to sell Partnered Health Group to Bupa, a deal covering 68 primary care clinics, three urgent care clinics and a stable of corporate health brands, subject to approval by the competition regulator and the Foreign Investment Review Board. Five days later, by its own account, Partnered Health became aware a malicious actor was in its systems.

Neither the Office of the Australian Information Commissioner nor the Australian Cyber Security Centre had made a public statement by Thursday morning. No attacker has been identified and no ransom demand has been reported.

Health operators lead the country in reported breaches. They notified the OAIC of 225 incidents in 2025, 19 per cent of the national total and more than any other sector. Medibank's 2022 breach exposed the data of 9.7 million current and former customers and drew Federal Court civil penalty proceedings from the regulator. MediSecure's 2024 breach, at 12.9 million Australians, remains the largest on record.

"As a health services provider, we know our patients and our people trust us with personal and medical information and we sincerely apologise for any concern and inconvenience this may cause them," the company's statement said. Its investigation, and the sale, are both still under way.