Menu Close

Healthcare is Australia’s most targeted sector for data breaches. Is your practice ready?

According to the Office of the Australian Information Commissioner (OAIC), the health sector has held the top position for reported data breaches in Australia for several years running, accounting for 20% of all notifications in the second half of 2024.

Not finance. Not government. Healthcare.

The Australian Signals Directorate’s 2024-25 Annual Cyber Threat Report confirmed that ransomware incidents targeting the healthcare sector doubled in a single year.

The question for every practice owner and manager now is: is your practice prepared for a real threat?

Why healthcare is in the crosshairs

Healthcare data is extraordinarily valuable. According to Kroll’s 2025 Data Breach Outlook, a patient record can fetch up to USD $1,000 on the dark web, compared to approximately USD $5 for a stolen credit card number.

$1,000
Value of a single patient record on the dark web (USD)
Increase in healthcare ransomware incidents in one year
12.9M
Australians exposed in the 2024 MediSecure breach

A single record can contain Medicare numbers, prescription histories, mental health information and financial data all in one place.

Cyber criminals also understand that a practice cannot afford for their systems to go down because patients are waiting. This urgency creates pressure to resolve incidents quickly, which can come at a cost.

Take the 2024 MediSecure breach as a prime example of what is at stake, as the personal health information of 12.9 million Australians was exposed, forcing the company into administration.

The vulnerabilities most practices overlook

Large-scale incidents attract headlines, but smaller practices are frequently targeted precisely because their defences are lighter. The OAIC’s most recent report noted that human error accounted for 37% of all breach notifications, with phishing and stolen credentials among the leading causes.

The vulnerabilities that appear most often at the practice level include poorly integrated clinical software, insufficient staff security training, backup processes that have never been tested, and no formal assessment against the Australian Government’s Essential 8 framework.

None of these require a sophisticated attacker to exploit.

What the Privacy Act requires of you

Under the Notifiable Data Breaches scheme, if your practice experiences a breach likely to cause serious harm to any individual, you are legally required to notify both the affected individuals and the OAIC. Privacy Act amendments and RACGP accreditation standards are tightening these obligations further.

Practices that have built security proactively are far better positioned to meet these requirements than those responding to an incident they were not ready for.

Is your practice ready? A quick checklist

Before looking outward, it is worth taking an honest look at where your practice stands right now. Run through these questions and note where the answers feel uncertain.

Do you know when your last security review was? If you cannot recall, it has likely been too long. The threat landscape has shifted significantly in the past two years alone.
Have your backups ever been tested? Many practices have a backup process in place but have never verified it works under real conditions. If ransomware strikes tomorrow, do you know how quickly you could restore normal operations?
Has your team completed security awareness training recently? Given that 37% of breaches are caused by human error, your staff are one of the most important lines of defence in your practice.
Do you have a documented data breach response plan? Knowing what to do in the first hours after a suspected breach can significantly reduce the harm caused. If there is no plan, that is a gap worth closing now.
Have you assessed your practice against the Essential 8? The Australian Government’s baseline cybersecurity framework exists for good reason. If you have never benchmarked against it, you may not know where the vulnerabilities are.

If any of these questions prompt an uncomfortable pause, that is worth paying attention to.

Ready to protect what matters most?

If the checklist above raised questions you do not have clear answers to, it may be time to look at how your practice’s IT environment is structured. From security posture assessments and Essential 8 alignment to backup testing and clinical software integration, getting the foundations right is what prevents a breach from becoming a crisis.

Health IT works exclusively with GP practices and specialist clinics across Australia.

Contact us today.