TL;DR - If your GP tells you your medical records were stolen, treat the notice as an identity and scam problem, not just an IT problem. A bank card can be cancelled and replaced; a Medicare number, health identifier, and clinical history follow you. Check Medicare activity, secure myGov and myGovID, contact IDCARE, and make the clinic explain what was accessed and what help it offers. What you need to do:
On 15 July, I read The Guardian's report about the Partnered Health breach with a coffee going cold beside my keyboard. The sentence that stopped me was not "cyber-attack". It was the reference to personal information and medical details. A technical incident sounds distant. A clinical note, referral letter, or Medicare number belongs to a real person who still has to answer the phone when the next scam arrives.
If your clinic has sent you a similar notice, do not panic and do not file it away. You cannot pull stolen records back, but you can make the useful parts harder to use and make the next phone call easier to recognise.
Medical Records Stolen: What Happened at Partnered Health
The Guardian reported that Partnered Health said a malicious actor accessed personal information and health information from some clinics in its Australian network. The report said the information included names, dates of birth, addresses, contact details, Medicare details, private health insurance details, and concession card details. It also reported that medical and treatment information, including consultation notes, referral letters, and pathology or diagnostic results recorded by a GP, was breached.
The details above are what the report says, not a reason to assume every patient record contained every category. Keep a copy of your notice. If the clinic is still investigating, ask when it will update you. You can read the Guardian report on the Partnered Health breach.
For context, this is a different problem from a leaked password. My guide to a superannuation breach covers another Australian breach in plain English, but the response here needs to start with health information.
Why Your Medical History Is Harder to Replace Than Your Credit Card
A bank can cancel a card and issue another one. You can reset a password. You cannot cancel the fact that you once had a particular diagnosis, saw a particular specialist, received a referral, or had a pathology result recorded in a clinical system.
A Medicare number and other health identifiers are not just random strings. In the wrong hands, they may be used in attempts to pass identity checks or make a government-related scam sound official. Clinical notes add context. A caller who knows the name of your practice and can mention a real appointment has a much easier job sounding plausible than a caller who knows only your email address.
That does not mean every stolen record will be used, or that every follow-up call is connected to this breach. It means the warning signs change. You are not only watching for a password-reset email. You are watching for someone who knows enough about your care to make you lower your guard.
I can replace a bank card, but I cannot replace my medical history.
The practical response is therefore two-track. Check for activity that should not be there, then slow down every unexpected request for more information. Do not send a photograph of an identity document, disclose a code, or confirm a full Medicare number because a caller claims to be from your GP.
The 3 Things Scammers Want From Your Medical File
1. An identity they can make sound complete
Names, dates of birth, addresses, contact details, Medicare details, private health insurance details, and concession card details can be combined into a convincing introduction. The scammer does not need to know your whole life. They need enough accurate pieces to make the next request feel like administration.
That request might be an account check, a request to confirm a number, or a message asking you to move to a link. Accurate details are there to earn trust, not to prove the caller is your clinic.
2. A private detail that creates urgency
If clinical notes or treatment information were exposed, the scammer may use a medical topic to make the contact feel time-sensitive. A fake reminder about a referral, an invented result, or a request to "update" a health record can feel more believable because it touches something you do not discuss casually.
You do not have to decide whether a caller knows a genuine detail. Hang up and call the practice using the number you already have or find it independently. That small break in the conversation removes the advantage the scammer was trying to create.
3. A trusted doorway into the rest of your accounts
A clinic's name, a doctor's name, and a patient's contact details provide a ready-made vishing story. The caller can start with health information, then steer toward myGov, a payment, a one-time code, or an identity document. The subject changes, but the goal is the same: get you to hand over something the stolen record did not contain.
The guide to why scammers already know your information explains how separate scraps of data are combined into a profile. Medical records can become the most sensitive new scraps in that profile, so treat every unexpected contact as untrusted until you verify it yourself.
The same data that makes a follow-up scam sound real is also why a simple monitoring routine matters. You cannot make a stolen clinical note untrue, but you can check Medicare activity, review account alerts, and keep the clinic's direct number somewhere safe. Use the 24-hour data breach response guide as a checklist rather than waiting for the next vague email to tell you to "remain vigilant."
Your Next 5 Steps in Order
These are short jobs, not a weekend security project. Start at the top.
-
Confirm the notice. Take 2 minutes. Find the clinic's number on its official website, your existing appointment record, or a previous statement. Call that number and ask whether the notice is genuine and whether your patient record is in the affected group. Do not use a link or phone number supplied in an unexpected message.
-
Check your Medicare claims. Take 5 minutes. Sign in to myGov yourself and open Medicare's online account and claims information. You are looking for a claim, service, or provider you do not recognise. For help with the Medicare service, use the official Services Australia Medicare online account page, not a search ad or a link in a text.
-
Secure your government identity access. Take 5 minutes. Review your myGov security settings, recovery details, and recent activity. If you use myGovID or myID, check the official myID service for the current instructions and make sure you recognise the devices and prompts connected to your identity. myGovID is not a medical-record monitor, so do not expect it to tell you that a clinic file was stolen.
-
Call IDCARE. Take up to 10 minutes. IDCARE is an Australian identity and cyber support service. Tell them what the clinic confirmed, what kinds of information may be involved, and whether you have seen suspicious activity. They can help turn a general concern into a response plan.
-
Ask the clinic for a written update and report suspicious activity. Take up to 10 minutes. Send the questions below and keep the reply with the original notice. If you see unusual Medicare activity or a related cybercrime attempt, screenshot messages, write down call times and numbers, and submit a report through ACSC ReportCyber. Contact the relevant government service through its official site, then tell your family what happened so the next convincing call does not catch someone else off guard.
The last step preserves the wording that made the scam credible and gives your family a rule: no medical, government, or banking request gets handled from an unexpected link or inbound call.
The Questions Your GP Clinic Owes You an Answer To
A good answer does not have to pretend the investigation is finished. "We do not know yet, and we will update you by this method" is more useful than a reassuring paragraph that says nothing. Ask these questions in writing if you can:
- What information was confirmed as accessed or taken? Ask specifically whether the investigation found Medicare numbers, private health insurance details, concession card details, other health identifiers, clinical notes, referral letters, or pathology and diagnostic results in the affected material.
- Was my individual record confirmed as accessed, or is it part of a potentially affected system? Ask what the clinic can confirm now and what remains under investigation. Do not accept a guess presented as certainty.
- What should I do because of my particular exposure? Ask whether the clinic is offering IDCARE support, monitoring, replacement documents, or another remedy, and ask for the details in writing.
- How will you contact me with the next update? Ask for the official phone number, email domain, and a way to verify future messages. A genuine update should not require you to surrender a password, one-time code, or full identity document by replying to an unsolicited message.
You can also ask whether the clinic has notified the relevant privacy authorities and law enforcement. The OAIC notifiable data breaches guidance explains the Australian notification framework, but it cannot tell you what happened to your individual record. That answer has to come from the provider.
The breach happened. Your details may be out there. What changes now is whether you use the checklist, verify the next contact, and spot the follow-up before it works. Start with the same 24-hour breach response guide and work through the steps in order.
Further Reading
- Patient records stolen in the Partnered Health cyberattack - The Guardian
- ACSC guidance on recovering from identity theft
- OAIC notifiable data breaches guidance
- IDCARE identity and cyber support
- What to Do in the First 24 Hours After an Email Data Breach
- Why Scammers Already Know Your Information
- How to Spot a Scam Text Before You Click
- Superannuation Breach: What You Need to Know and Do
Mathew Clark / Founder, SecureInSeconds / Currently: explaining to my kids that no, the clinic letter about stolen records does not mean someone is coming to our house



