Ochre Health has confirmed that patient data from its Tuggeranong medical centre in Canberra was potentially compromised and subsequently sold on an online hacking forum. The breach, which originated from a third-party platform used by Ochre Health, is believed to have affected more than 25,000 patients, with the compromised data including Medicare numbers, Department of Veterans’ Affairs (DVA) details, appointment records, and billing information.

If you are a patient of Ochre Health’s Tuggeranong clinic, your personal and health information may be among those affected. Here is what happened, what Ochre Health has confirmed, and what you should do right now.

What Happened in the Ochre Health Data Breach?

The breach originated from an unnamed third-party platform used by Ochre Health’s Tuggeranong clinic. A threat actor claimed to have gained access to this platform and subsequently offered the stolen patient data for sale on a hacking forum. Ochre Health confirmed it became aware of the online claims and launched an investigation in collaboration with cybersecurity experts and relevant authorities.

Ochre Health stated that its broader systems environment is secure and that its clinics and medical centres continue to operate normally with no disruption to patient care. The organisation confirmed the incident appears to be limited to the Tuggeranong clinic and the specific third-party platform involved.

This is the latest in a series of Australian healthcare data breaches involving third-party platforms and suppliers. The pattern is consistent: healthcare organisations and their suppliers hold extraordinarily sensitive data, and they are consistently targeted because of it.

What Data Was Compromised?

The data potentially affected in the Ochre Health breach is particularly sensitive, covering a broad range of personal and clinical information. The categories of data that may have been accessed include:

• Full names, dates of birth, home addresses, email addresses, and phone numbers
• Medicare card numbers and DVA (Department of Veterans’ Affairs) numbers
• Appointment dates and clinical details
• Billing and payment information

Medicare numbers and DVA card details are government-issued identifiers that can be used for identity fraud, fraudulent Medicare claims, and targeted social engineering attacks. Unlike a compromised password, a Medicare number cannot simply be changed. This makes the exposure of these details a long-term risk for affected patients.

How Ochre Health Has Responded

Ochre Health confirmed it is actively investigating the incident with the assistance of external cybersecurity specialists. The organisation stated it is working with relevant authorities to address the situation and is reviewing its security systems as a precautionary measure.

Under Australia’s Notifiable Data Breach scheme, organisations covered by the Privacy Act 1988 are required to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals when a breach is likely to cause serious harm. Given the sensitivity of the data involved, this obligation is clearly engaged. Patients can contact the OAIC directly if they believe their privacy rights have not been respected.

What Should Affected Patients Do?

Report Your Medicare Card as Compromised

Medicare Australia allows patients to request a replacement card if they believe their Medicare number has been exposed. Call Services Australia on 132 011 or visit a Medicare service centre to request a new card with a new number. This limits the window for fraudulent claims using your current number.

Contact DVA If Applicable

If you hold a DVA card and believe your details were compromised, contact the Department of Veterans’ Affairs on 1800 VETERAN (1800 838 372) to discuss your options and flag the potential exposure.

Watch for Targeted Health Scams

Scammers who obtain healthcare data often pose as Medicare, private health insurers, the Australian Taxation Office, or healthcare providers. They may reference specific details such as your clinic, appointment dates, or billing amounts to appear legitimate. Do not provide personal information or payment details over the phone or via a link in an email unless you have independently verified the source.

Monitor Your Credit and Financial Accounts

Name, date of birth, address, and Medicare number together form a powerful identity theft package. Check your credit report via Equifax, Experian, or illion, and consider placing a credit alert or freeze if you are concerned. Review your Medicare claims history via MyGov for any unfamiliar claims.

Contact IDCARE for Specialist Support

IDCARE is Australia’s national identity and cyber support service. If you are concerned about the potential misuse of your information, they can be reached on 1800 595 160.

Why Healthcare Data Breaches Are Particularly Damaging

Healthcare organisations hold the most sensitive category of personal information. Under the Privacy Act, health information is classified as sensitive information and attracts additional protections and obligations compared to general personal data.

The consequences of a healthcare data breach extend well beyond the immediate inconvenience of changing a password or cancelling a credit card. Medical records can be used to commit health insurance fraud, to obtain prescription medications, to gain access to disability support systems, and to build convincing false identities. Medicare and DVA numbers are especially valuable because they are government-issued, widely trusted, and difficult to replace.

The Australian Government has significantly increased penalties for serious and repeated privacy breaches, and the OAIC has signalled it will pursue enforcement action in cases where organisations failed to take reasonable steps to protect the sensitive information they hold.

Third-Party Risk Is the Common Thread

The Ochre Health breach, like the SunDoctors breach disclosed just two days earlier, originated not from a direct attack on the organisation’s own systems but from a compromise of a third-party platform the organisation relied upon. This pattern is consistent across dozens of significant Australian data breach events in recent years.

When you integrate an external platform with your operations, you effectively extend your security perimeter to include that platform. If the platform has poor access controls, unpatched vulnerabilities, or weak credential management, those weaknesses become your weaknesses.

For Australian businesses, the lesson is clear. You are responsible for the personal information you hold regardless of whether that information sits in your systems or in those of a service provider you have engaged. Under the Privacy Act, the obligation to protect personal data does not transfer to your IT provider. It stays with you.

Why This Matters for Professional Services Firms

Otto IT works with professional services firms across Melbourne, including law firms, accounting practices, financial advisory businesses, and healthcare-adjacent organisations. These businesses hold large volumes of highly sensitive client data, and they increasingly rely on third-party platforms to manage that data.

The AML/CTF reforms taking effect on 1 July 2026 add formal compliance obligations around data handling for lawyers, accountants, conveyancers, and real estate professionals. The Privacy Act’s “fair and reasonable” test, which is being more actively enforced by the OAIC in 2026, requires organisations to demonstrate that their privacy protections extend to the platforms and suppliers they use.

How Otto IT Can Help

Otto IT works with professional services firms to implement structured, practical cybersecurity that addresses third-party risk as a first-class concern rather than an afterthought.

Our managed cybersecurity services include third-party access reviews, helping clients understand who has access to their environment and what controls are in place. We help businesses implement the ASD’s Essential Eight controls, which include application control, patching, and access management measures that reduce both direct attack surface and third-party exposure. We also support incident response planning so that when a supplier or platform is compromised, your team knows exactly what to do.

If the Ochre Health breach has raised questions about your own use of third-party platforms and whether your data is protected, we are here to help. Contact the Otto IT team to start the conversation.

General Advice: Protecting Against Third-Party Platform Breaches

Audit your third-party platforms regularly. Maintain a register of every external platform that has access to your business data, including what data it can reach and what authentication controls protect that access. Review this register at least annually and whenever you onboard or offboard a supplier.

Apply the principle of least privilege to platform integrations. External platforms should only be able to access the specific data they need to function. Review and restrict access scope whenever possible.

Include security requirements in platform contracts. Vendor agreements should specify minimum security standards, breach notification obligations, and your right to audit or request evidence of compliance.

Use multi-factor authentication on every platform. Every external platform that holds your business data should have MFA enabled. MFA is one of the most effective controls available and remains one of the most underused.

Test your incident response plan. When a third-party platform is compromised, the clock starts immediately. You need to know what data was exposed, who needs to be notified, and what your legal obligations are. Practise this scenario before it happens.

Frequently Asked Questions

What happened in the Ochre Health data breach?

Ochre Health confirmed that patient data from its Tuggeranong clinic in Canberra was compromised via a third-party platform and offered for sale on a hacking forum. More than 25,000 patients may have had their Medicare numbers, DVA details, appointment records, billing information, and contact details exposed.

What data was stolen in the Ochre Health breach?

The compromised data reportedly includes names, dates of birth, contact details, Medicare card numbers, DVA numbers, appointment history, and billing information. This is highly sensitive data that can be used for identity theft, healthcare fraud, and targeted scams.

How did the Ochre Health breach happen?

The breach occurred via a third-party platform used by the Tuggeranong clinic, not through a direct attack on Ochre Health’s own systems. This is an increasingly common attack pattern in Australia, where threat actors target smaller or less-secured suppliers to access the data of larger organisations.

What should I do if I was a patient at Ochre Health Tuggeranong?

Contact Medicare on 132 011 to report the potential compromise of your Medicare number. Contact DVA if applicable. Monitor your accounts for unusual activity, be alert for health-related phishing and scam calls, and contact IDCARE on 1800 595 160 for specialist identity and cyber support.

Is my business at risk from third-party platform breaches?

Yes. Any business that uses external platforms, SaaS tools, cloud services, or managed IT providers creates third-party access relationships that represent potential entry points for attackers. Businesses need to actively manage this risk through supplier assessments, access controls, and contractual security requirements.

Protect Your Business and Your Clients’ Data

The Ochre Health breach is a reminder that cybersecurity is not just about your own systems. It is about every platform and supplier that touches your data.

Otto IT helps professional services firms understand and manage their cyber risk in practical terms. From Essential Eight assessments and third-party risk reviews to incident response planning and ongoing managed security monitoring, we help businesses build resilience that matters.

Talk to the Otto IT team today to find out where your biggest third-party risks are and what to do about them.

This post was published on 20 June 2026 based on publicly available information at the time of writing, including Ochre Health’s published statement and reporting by Cyber Daily.