IronSights

Industries · Healthcare

Cyber security for Australian medical practices.

GPs, specialists and allied health hold the most sensitive records a person has, and they hold them with small teams and no security staff. Health has been Australia's most breached sector for years running. We help practices protect patient data and meet obligations that apply no matter how small the practice is.

IronSights works with medical centres, specialist rooms and allied health practices across Australia. We are ISO 27001 and ISO 9001 certified, Microsoft certified, and based in Sydney. Australian-owned, and used to working around a practice that cannot stop seeing patients.

Threat landscape

Why medical practices are targeted.

Health service providers were the most breached sector in Australia in 2025, at around 19 percent of all notifications to the OAIC, ahead of finance and government. That was against a record year. Australian organisations notified 1,205 breaches, the highest since the scheme began in 2018, and most were malicious or criminal attacks rather than accidents. Health has held the top spot for years.

The reason is the data. A patient file holds identity, Medicare and private health insurance details and clinical history in one place, and unlike a stolen card number none of it can be cancelled and reissued. A diagnosis is exposed permanently. That makes health records valuable for fraud and unusually effective for extortion, because the pressure on a practice to make the problem disappear is severe.

The July 2026 attack on a national network of medical clinics showed how this plays out. Reports said clinics across Sydney, Melbourne, Canberra and Queensland were caught, and that the stolen data ran to consultation notes, diagnoses, referrals and pathology results alongside Medicare and insurance details. Patients were told more than three weeks after the intrusion.

That gap is the part worth studying. Establishing what an intruder actually reached is slow work, and it is slower still when nobody has thought about the question before the day it matters. The obligation to assess does not wait for you to be ready.

The exemption myth

The small business exemption does not apply to you.

This is the single most common misunderstanding we meet in the sector, and it is worth being blunt about. Australian privacy law exempts many businesses turning over $3 million or less. That exemption is not available to an organisation that provides a health service and holds health information. A solo GP, a two-room physiotherapy clinic and a part-time psychology practice carry the same Australian Privacy Principles as a hospital. Turnover has nothing to do with it.

Most practices believe they are exempt

Australian privacy law exempts many small businesses turning over $3 million or less, and most practice owners assume that covers them. It does not. The exemption is expressly unavailable to an organisation that provides a health service and holds health information. Whether you bill $200,000 or $20 million changes nothing about your obligations.

The definition is wider than doctors

General practice, specialists, dentists, allied health, psychology, physiotherapy, podiatry and aged care are all captured. If you assess, maintain or improve someone's health and keep a record of it, you are holding health information under the Act. A great many allied health practices are covered without ever having been told.

What the Act actually asks of you

The Australian Privacy Principles require reasonable steps to protect personal information from misuse, loss and unauthorised access. Reasonable is judged against what you hold, and health information sits at the sensitive end. The bar for a practice full of clinical records is higher than for a business holding a mailing list.

The breach duty comes attached

Being covered by the Privacy Act means the applies to you too. If a breach is likely to cause serious harm you must assess it promptly and tell both the regulator and your patients. With clinical records the serious harm test is usually met, so the question is whether you are ready to answer it, not whether it applies.

How we help

How IronSights supports medical practices.

Practices come to us for plain answers: where patient data is exposed, what to fix first, and how to show a surveyor, an insurer or a health network that the risk is under control.

Fortify — managed security

We watch your systems around the clock and step in when something is wrong, so your team can stay with patients rather than chasing alerts. You get steady improvement and a plain monthly report. Built for practices with no in-house IT security.

Microsoft 365 security

Most practices run on with default settings and a licence that already includes the tools to protect it. We turn on , and Defender, bring devices under management, and configure DMARC, DKIM and SPF so nobody can spoof your practice.

Audit and assurance

A documented baseline against the , and evidence you can put in front of an accreditation surveyor, an insurer or a health network. If a contract or a tender is asking for a security standard, we map the shortest sensible path to it.

Penetration testing

External, internal and web application testing to a method, for practices and health groups that need to prove their systems stand up. A report in plain English, fixes your IT support can action, and a free retest 30 days later.

Incident response

Available 24 hours a day for , email fraud and data breaches. We contain it, establish what was actually accessed rather than assuming, handle the notification where the breach is notifiable, and manage the insurance paperwork.

Security reviews

Where most practices start. We find your biggest gaps, show you where you stand against the Privacy Act, and tell you what to fix first. No obligation to go further.

Compliance

The obligations that apply to your practice.

A medical practice carries more privacy obligation than almost any other kind of small business, and it starts at the first patient rather than at a turnover threshold. This is general guidance, not legal advice.

Privacy Act

Applies from your first patient

Health service providers cannot use the small business exemption, so the Australian Privacy Principles apply in full regardless of turnover. The one that bites hardest is the requirement to take reasonable steps to protect personal information from misuse, loss and unauthorised access. Reasonable is measured against the sensitivity of what you hold, and clinical records sit at the top of that scale.

NDB Scheme

Assess promptly, then notify

If a breach is likely to cause serious harm you must assess it expeditiously, and within 30 days at the outside, then notify the and the affected patients as soon as practicable. With health information the serious harm test is usually met. The practical difficulty is not the rule, it is being able to establish what was actually accessed while the clock is running.

My Health Record

A second, stricter regime

If your practice connects to My Health Record, the My Health Records Act 2012 sits on top of the Privacy Act with its own rules. Unauthorised collection, use or disclosure of My Health Record information, or anything that compromises the security of the system, triggers a separate mandatory notification, and it does not wait on a serious harm judgement. Practices are frequently unaware they carry two obligations rather than one.

Accreditation

RACGP Standards and the Essential Eight

The RACGP Standards for general practices carry criteria on information security and on the confidentiality and privacy of health information, so an accredited practice has to be able to show this is managed rather than assumed. The is not compulsory for a private practice, but it is the yardstick insurers, health networks and tenders keep reaching for, and it lines up closely with what accreditation already asks of you.

Common risks

Where practices actually get hurt.

These are the six we are called about most. None of them are exotic, and none of them need an enterprise budget to fix.

One shared login to the whole patient file

Practice management systems are often reached through a handful of accounts that everyone knows, sometimes written down at reception, rarely with . One of those credentials in the wrong hands opens every record in the practice, and because the login looks legitimate, nothing flags it. Individual accounts and multi-factor authentication are the single highest-value fix in most practices.

Phishing and Microsoft 365 account takeover

The way in is rarely clever. A staff member enters their email password into a page that looks like the Microsoft login, and from that moment the attacker reads everything that account can reach. Practices are phished with the things they cannot ignore: a results notification, a referral, an invoice from a supplier they actually use. defeats the overwhelming majority of it, and it is free with the licence you already hold.

Reception is the front door

The busiest, most interrupted desk in the practice is the one facing the public, taking calls and opening attachments from unknown senders all day. Screens sit in view of the waiting room and accounts are often shared across a shift. This is not a staff failing, it is a design problem, and it is fixed with individual logins, screen locks and training that respects how busy the desk is.

Pathology, billing and booking connections

Your practice connects out to pathology providers, billing services, online booking, secure messaging and referral platforms. Every one of those links carries patient data and most practices have no list of what is connected or what it can reach. When a third party is breached, your patients can be exposed through no fault of your own systems.

Old systems that cannot be patched

Practices run equipment and software that the vendor stopped supporting years ago, often because it is tied to a device or a clinical workflow that cannot easily change. Unsupported systems accumulate known holes that will never be fixed. They can usually be isolated so they are not reachable from the rest of the network, which is far cheaper than replacing them.

No plan for the first hour

Nobody decides who does what on the morning the files will not open. Meanwhile the waiting room is full, the phones are going, and the Act expects you to be assessing whether the breach is notifiable. Practices that have written down who calls the insurer, who makes the assessment and who speaks to patients get through it in days. Practices that work it out on the spot take weeks, and every one of those days is on the record.

Common questions

Asked by practices like yours.

Not in this list? Call us on 1300 004 766 or book a 30-minute consultation. No obligation.

  1. Our practice turns over less than $3 million. Are we exempt from the Privacy Act?

    No. This is the most common misunderstanding in the sector. The small business exemption is not available to an organisation that provides a health service and holds health information. A solo GP, a two-room physio clinic and a part-time psychology practice are all covered in full, the same as a hospital. Turnover does not come into it.

  2. Who counts as a health service provider?

    It is much broader than doctors. General practice, specialists, dentists, physiotherapists, psychologists, chiropractors, podiatrists, optometrists, naturopaths and many allied health and aged care providers are captured. If you assess, maintain or improve someone's health and you keep a record of it, you are almost certainly a health service provider for privacy purposes.

  3. Why are medical practices targeted more than other sectors?

    Because the data is worth more and the defences are usually thinner. A patient record holds identity, Medicare and insurance details and clinical history in one place, and unlike a card number none of it can be reissued. Practices also tend to run lean, with clinical staff sharing systems and no in-house security. The OAIC's figures show health has been the most breached sector in Australia for years running.

  4. What do we have to do if we have a breach?

    If you are covered by the Privacy Act and the breach is likely to cause serious harm, you must assess it promptly and notify both the OAIC and the affected patients. With health information, most serious breaches will meet that test, because the harm from clinical data being exposed is obvious. If My Health Record data is involved, a separate and stricter obligation applies on top.

  5. How long do we have to notify patients after a breach?

    The Act requires you to carry out an assessment expeditiously, and in any case within 30 days, then notify as soon as practicable once you form the view that serious harm is likely. Thirty days is a limit, not a target. Practices that have decided in advance who assesses, who calls the insurer and who speaks to patients move in days rather than weeks.

  6. Does the RACGP require us to have information security in place?

    Yes, if you are accredited. The RACGP Standards for general practices include criteria covering information security and the confidentiality and privacy of health information, so a practice going through accreditation has to show it manages this properly rather than assume the software vendor handles it. Accreditation and the Privacy Act ask for overlapping things, so the work counts twice.

  7. Isn't our practice management software vendor responsible for security?

    Only for their part of it. The vendor secures the product, but you are responsible for who has an account, whether staff share logins, whether multi-factor authentication is switched on, what happens on a lost laptop and what a receptionist can see. Almost every breach we are called to involves an account or a device, not a flaw in the clinical software itself.

  8. We have never had a breach. Do we really need to do anything?

    Most practices we work with had never had one either, right up until they did. The honest answer is that the controls worth having are unremarkable: multi-factor authentication on every account, no shared logins, managed devices, current backups you have actually tested, and a short plan for the first hour. None of that is expensive. It is just rarely anybody's job.

  9. What does a security review involve for a medical practice?

    We look at how staff log in, how patient data is stored and backed up, what your practice management and clinical systems are exposed to, who has access they no longer need, and whether your breach plan would actually satisfy your Privacy Act duties. You get an ordered list of what to fix first, in plain English, with no obligation to go further.

  10. Can you help us right now if we think we have been breached?

    Yes. Call 1300 004 766. We handle containment, work out what was actually accessed rather than assuming the worst, help you meet the notification obligation, and deal with the insurer. Do not wipe or re-image anything before you call, because that destroys the evidence that tells us how far the intruder got.

Start with a review

See exactly where your practice stands.

We look at how your staff log in, how patient data is stored and backed up, what your practice management system is exposed to, and whether your breach plan would satisfy your Privacy Act duties. You get a clear, ordered list of what to fix first, scoped to what a practice can actually afford. Most of the highest-value fixes cost very little.

ISO 27001 and ISO 9001 certified. NSW Master Security Licence 000109187. Microsoft certified security engineers. Australian-owned. Sydney-based.