Partnered Health cyberattack exposes insured patient data after Bupa deal

Breach spanning 21 clinics raises cyber and healthcare liability questions

Partnered Health cyberattack exposes insured patient data after Bupa deal

Cyber

By Roxanne Libatique

A cyberattack on Partnered Health Group has compromised patient records across 21 named clinics in five states and territories – exposing data that includes private health insurance and Department of Veterans’ Affairs (DVA) card details – and landing five days after Bupa announced its intention to acquire the company.

Partnered Health, owned by private equity firm Quadrant, disclosed the incident publicly on July 15, confirming it became aware of the breach on June 23. The affected clinics span New South Wales, Victoria, Queensland, Western Australia, and the Australian Capital Territory, covering metropolitan and regional locations including Sydney, Melbourne, Canberra, the Gold Coast, and the Sunshine Coast.

What was taken – and what it means for insurers

Partnered Health confirmed that “personal information (including health information) was taken from some of the clinics in our network,” while noting its investigation remains ongoing. Data categories affected include names, dates of birth, addresses, and contact details; Medicare numbers; private health insurance details; Veteran Card (DVA) numbers; concession card numbers; and medical records including GP consultation notes, referral letters, and pathology and diagnostic results.

The inclusion of private health insurance and DVA details is directly material for the sector. Health funds and insurers whose members attended any of the 21 affected practices may face downstream notification obligations under Australia’s Notifiable Data Breaches (NDB) scheme, depending on whether they are assessed as holding or processing the relevant data. Partnered Health has reported the incident to the Australian Cyber Security Centre (ACSC), the Office of the Australian Information Commissioner (OAIC), and law enforcement and has obtained – not merely sought – an interim injunction from the Supreme Court of New South Wales ordering that the accessed data are not used or published.

A record breach environment

The incident arrives in the worst year on record for Australian data breach notifications. The OAIC received 1,205 notifications in the 2025 calendar year – an 8% increase over 2024 and the highest annual total since mandatory breach reporting commenced under the NDB scheme in 2018. Health service providers accounted for 19% of all 2025 notifications, or approximately 225 incidents – the most frequently reported sector. “The threat posed to Australian businesses and organisations by data breaches is substantial and rising year on year,” Australian Privacy Commissioner Carly Kind said in the OAIC’s 2025 annual release. Malicious or criminal attacks accounted for 716 of the 1,205 notifications – the dominant cause category.

For the insurance sector, this environment is reshaping underwriting conditions. Australia’s cyber insurance market posted consecutive quarterly profits through the second half of 2025 and into the first quarter of 2026, based on Australian Prudential Regulation Authority (APRA) data released in May 2026. Cyber gross written premium has not, however, exceeded $73 million in any single quarter. Industry participants have attributed this partly to low uptake among small businesses and a still-maturing market with limited historical pricing data. Healthcare is among the sectors reported to be experiencing less premium relief than the broader market because of elevated claims activity, alongside transportation, manufacturing and retail.

A tightened regulatory environment

The breach also falls under a materially changed legal framework. The Privacy and Other Legislation Amendment Act 2024, which received Royal Assent on December 10, 2024, introduced tiered civil penalties allowing the OAIC to pursue penalties for any interference with privacy – not only serious or repeated breaches. Non-serious interferences now carry a maximum civil penalty of $3.3 million for a body corporate, while the OAIC may also issue infringement notices of up to $330,000 for specified breaches without commencing Federal Court proceedings. Serious interferences remain subject to the existing maximum of $50 million or 30% of adjusted turnover, whichever is greater. The same legislation introduced a statutory tort for serious invasions of privacy, in force by June 2025, giving individuals a direct right of action in cases where personal information handling is found to be intentional or reckless. For healthcare providers and their insurers, that creates litigation exposure that sits alongside – and is separate from – regulatory penalty risk.

The M&A dimension

The five-day gap between Bupa’s June 18 acquisition announcement and the June 23 breach is the element that most distinguishes this incident from an isolated healthcare data event – and it raises a question backed by research. Management consulting firm Oliver Wyman has noted in its analysis of healthcare M&A cyber risk that the announcement of a merger or acquisition itself functions as a trigger event for cyber actors, who use such moments to probe an organisation’s systems, data architecture, and access points. The firm assessed that the potential impact of a major healthcare cyber event, when factoring in IT disruption, regulatory penalties, lawsuits, and reputational damage, “could reach into the billions.”

Bupa confirmed on June 18 that it had agreed to acquire Partnered Health pending Australian Competition and Consumer Commission (ACCC) and Foreign Investment Review Board (FIRB) approval. The deal would add 68 primary care clinics and three urgent care clinics to Bupa’s existing network of 32 Bupa Medical and 13 Mindplace clinics across Australia. Bupa APAC CEO Nick Stone said at the time: “As a diversified health care provider, we’re focused on what we can do to better meet the health and wellbeing needs of Australians, as well as help support the careers of the GPs and clinicians that deliver that care.”

Neither Bupa nor Partnered Health has publicly addressed whether the breach engages any contractual provisions in the acquisition agreement – a standard consideration in any M&A cyber incident review, covering representations and warranties on data security compliance, known incident disclosures, and material adverse change clauses. Partnered Health managing director and CEO Dr Malcolm Parmenter said in June that the combination with Bupa would enable the group to grow its clinic footprint and expand its service offering while maintaining the clinical autonomy its clinicians had always enjoyed.

Founded in 2013, Partnered Health operates more than 60 medical centres nationwide and serves more than 5 million Australians. The full patient scope of the breach has not been publicly quantified. For brokers and underwriters with healthcare sector exposure, the incident highlights the intersection of cyber risk and insurers’ expanding participation in healthcare delivery – an emerging issue illustrated by Bupa’s proposed acquisition of Partnered Health.

Related Stories

Keep up with the latest news and events

Join our mailing list, it’s free!