The fundamental theme of all previous digital health discussions is the ongoing need for strong cybersecurity.

October marks the Australian Government’s Cyber Security Awareness Month. This year’s theme is 'Building our cyber safe culture'. It aligns well with an examination of data security trends in healthcare.

This article is the final entry in our series checking up on digital health topics in 2025.

“Australian Privacy Commissioner Carly Kind said the record number of data breaches in 2024 highlights the significant threats facing Australians’ privacy that organisations and agencies need to effectively manage...

Health service providers and the Australian Government again notified the most data breaches of all sectors…”

Office of the Australian Information Commissioner

Why are healthcare organisations at such risk?

As more systems become interoperable, more media is shared among clinicians, and healthcare workers collaborate and respond to critical incidents, secure platforms become increasingly essential.

As we will see later when we examine data security statistics, healthcare providers consistently report the highest rate of data breaches. The healthcare industry has submitted the most notifications to the Information Commissioner in every period the OIAC has published reports.

Healthcare is increasingly digitally mature, has a massive and growing workforce, and must necessarily be spread across every community in Australia.

Operators in the industry are also subject to enhanced responsibilities beyond those of firms in other verticals. The type of data recorded – private and personal health information – along with regular consumer contact or billing details, makes data security a critical part of delivering modern healthcare.

Clinician reviewing diagnostic information at computers

With any patient interaction, providers document ‘health information’. This is a specific term that encompasses

  • Details about the health or disability of an individual, their wishes for future provision of care, and any past services provided,
  • Any other information collected to enable the delivery of care,
  • Any information collected regarding intentions or actions around body, tissues or organ donations, or
  • Genetic information that is being or could be used to predict the health of that person or a genetic relative.

This takes a broad definition of all data that a healthcare provider could be keeping. Under the Australian Privacy Principles (APP), health information is specifically denoted as ‘sensitive information,’ a designation that attracts additional protections compared with other personal details.

The APPs impose specific obligations where sensitive information is maintained, covering how data can be collected, used, and disclosed, even when anonymised.

Data privacy concept on computer keyboard

Given the sensitive nature of the information, healthcare providers are attractive targets for malicious actors. Recent major scandals have included Medibank’s 2022 data breach, which the OAIC is pursuing in court, and Australian Clinical Labs, which resulted in a multimillion-dollar fine earlier in October.

In other markets, last year (2024) saw the largest healthcare data breach of all time, with more than 190 million individuals affected by a ransomware attack at Change Healthcare in the US.

An earlier analysis in the academic journal Healthcare found that, along with healthcare, the industry saw the highest number of attacks over time and across jurisdictions, and that the average cost of a breach is almost double that of other industries.

In Australia, the OAIC specifies notifiable data breaches and publishes this information twice a year. This allows us to examine the statistics and uncover trends in healthcare cybersecurity. The categories used to sort these are identified below.

Silver padlock sitting on hospital bed
Hacker or

Malicious or criminal attack

  • Cyber incident, including phishing, ransomware, hacking and malware.
  • Social engineering/impersonation
  • Rogue employee/insider threat
  • Theft of paperwork or data storage device
Human link or

Human error

  • Unauthorised disclosure (unintended release or publication)
  • PI sent to the wrong recipient (email, mail, other)
  • Failure to use BCC when sending an email
  • Insecure disposal
  • Loss of paperwork/data storage device
Computer system alert or

System faults

  • Unintended publication due to a flaw in the technology
  • Unintended access being granted to an external party

Ikonix Technology analysed the data from July 2020 to date. The reports can all be found here.

Please note that the OAIC is expected to report data from the first half of 2025 at any moment. These will be incorporated into our analysis as soon as possible

What does the data show us?

The OAIC has published statistics on notifiable data breaches from reporting entities since the second half of 2020. In that time, 4,356 breaches have been reported. Of these, almost one in five were from the healthcare industry. This has remained consistent over time, with each report showing around 20% of all reports coming from the sector.

The reports are necessarily anonymised, and limited further insight is provided into how or why this might be the case. We can consider that there are a few possible influences on this:

  • Healthcare information, being designated ‘sensitive’, increases the reporting obligation, both by statute and a culture of awareness around the security of this information.
  • The sector is a major employer across the country and is represented in every community, rather than concentrated in any given area or in a few organisations. Further, the proportion of workers whose daily job involves significant technology is lower than in other industries, which can affect how cybersecurity-savvy the workforce is.

Malicious or criminal acts are the most common cause of breaches across industries, and in every publication. While that remains the case in healthcare, this sector sees an enduringly lower rate of these. Across all covered periods, healthcare reported 11% fewer malicious breaches.

This could be attributed to any combination of possible factors, such as

  • Larger, institutional organisations having robust policies and infrastructure to reduce criminal acts,
  • The industry’s strong culture of privacy controls and respect for private health information is notable. Notably, vendors operating in the market tend to be more proactive in adopting security measures.
  • Legacy technologies, sometimes generations behind the market, may coincidentally remove security risks, or
  • A simple dilution effect due to the equivalent increase in human errors as a cause of data breaches.

Within the sub-categories under malicious events reported, one clear trend is that healthcare organisations are less likely to fall victim to social engineering attacks.

Social engineering is a technique used by bad actors to influence staff, often by impersonating a legitimate authority, to “compromise accounts, devices, systems or sensitive information”.

Given the appeal to malicious parties of the data held by healthcare organisations and their large workforces, this reverses the otherwise predicted trend. That could suggest robust authorisation processes, or it could be a factor of healthcare being a predominantly in-person activity, making it harder for outside parties to impersonate an authority.

With that in mind, however, the threat from rogue employees or other insiders, along with the theft of physical media (printed information or data storage media), is somewhat higher than average.

The OAIC report groups several types of cyber incidents: credential compromise via phishing, brute-force attacks, or other methods; ransomware and malware; hacking; and unsorted, separate events.

Within these, healthcare generally reports fewer attacks of each type, on average, with one key exception. The incidence of successful phishing attacks is significantly higher than average.

This suggests a strong need for improved cybersecurity awareness regarding phishing avenues, such as email links.

As mentioned above, any underrepresentation of malicious attacks is offset by an almost equal overage in human error. Notifiable breaches occur due to employee mistakes 12% more frequently than the all-industry average, and they account for closer to half of all breaches, whereas the average is less than one-third.

This could perhaps be due to the large, mobile workforce and the greater need to share information, such as between healthcare organisations or clinicians within the same employer. This could also be a result of the time pressure in our health system or the rapid maturation of digital health – more data is moving between stakeholders than ever before, increasing the risk of human error in data handling.

Across all industries, including healthcare, the most common data error is sending an email to the wrong recipient. What could be a negligible concern in many environments, the personal and private nature of health information makes this a much more serious event, especially if the information is shared not with an incorrect colleague but with an outside party or another member of the public.

This also occurs at the same rate as the all-industry average, though in smaller quantities, by both postal mail and ‘other’ means.

Within the sub-types of human errors, there is one area where healthcare departs from the average – the industry reports significantly fewer unauthorised public disclosures of information.

As previously mentioned, it’s clear that healthcare professionals understand their remit to treat patient data with care and are therefore taking additional steps to ensure they do not publish private information.

Across the five years analysed, there have not been enough system-fault-driven breach notifications for us to identify any trends. The comparison between unintentional release of information and accidental granting of access to unauthorised parties fluctuates over time, with some publications reporting zero events at different times.

On aggregate, access errors conform to the proportion of all industry errors sourced from healthcare (~20%), while the unintended release of information by system fault is fewer than one in ten.

As the OAIC reports are public information, an independent analysis of them was conducted by cybersecurity experts, CyberCX. Their report reinforces our assessment.

This publication advises that outside the OAIC, the CyberCX Digital Forensics and Incident Response (DFIR) team “responded to more incidents involving the healthcare sector than any other industry”

They confirm that healthcare presents a high-value target for the malicious actors we’ve discussed throughout this article. This is explained as being due to health operating critical infrastructure, having a low tolerance for disruption of operations, and maintaining large amounts of sensitive information.

Cyber CX Diagnosing Cyber Threats in healthcare 2025 cover adaptation

The analysts go on to explain that healthcare’s “threat profile” is made complex by

  • Constrained and contested budgets,
  • Workforce constraints,
  • Rapid digitisation,
  • Vertical integration of care across the industry, and
  • Sharing of patient data.

They highlight that advances in digital health have led healthcare services to transition to cloud solutions, and that there has been an increase in cyberattacks against third-party solution providers on which the health provider relies.

This digitisation is necessary, however, as bad actors can exploit what CyberCX calls ‘the level of tech-debt and legacy systems’ that providers are modernising.

Clinician in scrubs sitting at desktop computer examining paper and digital data

For hospitals specifically, this report recommends developing a map of technologies across the hospital, cataloguing the data recorded, stored, and shared by the hospital, and identifying the technical integrations or connections to external parties within the hospital.

By mapping the tech embedded in the hospital, administrators will gain a better understanding of their potential cybersecurity exposure. We would add that this also presents an opportunity to harmonise or integrate additional systems while maintaining cybersecurity oversight.

Male doctor in headphones using desktop and tablet computer

How can healthcare leaders address these cyber risks?

Good review or

Reinforcing good habits and behaviours

Secure globe or

Provide staff with secure tools to access and share information.

Profile desktop or

Ensure only authorised personnel can access data.

Reinforcing cyber secure behaviour.

Fewer breaches from criminal activity, as discussed, suggest that there are positive behaviours and respect for privacy within the sector. This should be reinforced during early occasions such as induction, as well as in ongoing meetings and training. The sheer scale of the workforce, along with the frequency of personnel moving between roles, presents both risk and more opportunities for cybersecurity awareness training. It’s a positive outcome that healthcare workers treat patient data with apparent respect, but skills need to be developed to avoid, for example, becoming victims of phishing attacks.

Person with coffee cup starting cybersecurity training module on laptop

Secure data sharing.

Training can only go so far for a busy workforce, and sophisticated attacks or lapses in awareness can still occur. This is why we recommend that healthcare authorities implement strong, secure tools for information sharing. This would present fewer opportunities for human error. Using our products as examples, there are opportunities for improving the security of information sharing:

Integrated systems. Ikonix Messenger is a Message Integration Engine, a system that conveys data between systems in hospitals around Australia. Because this provides a secure link, it reduces the risk of external interception of data transmission and the potential for human error when transcribing data between systems. Automated information sharing within a closed ecosystem can reduce cyber risk while also providing obvious operational benefits.

Closed communication networks. As a healthcare-specific critical communications app,  Ikonix Connect enables healthcare workers to securely share information. This reduces the risk of interception, as data is encrypted at rest and transmitted over a VPN. For paging networks, still a vital part of hospital communication, these can now be encrypted to prevent interception and overcome the need to avoid sharing private details over paging networks.

3 D concept drawing of devices connecting to the cloud

Authorised access.

Closing the information-sharing ecosystem will reduce potential points of failure. As we’ve observed, the most significant risk, relative to the average, is personnel sharing information with the wrong recipient. Sector workers are comparatively diligent about when to share, but when they need to transmit data, providing them with a secure way to access colleagues — significantly, not unrelated third parties — will reduce data breach incidents. Solutions such as Ikonix Connect, which draw exclusively from authorised organisational directories, close the loop against data risk. Clinicians on such an app can only contact personnel within their network and do so in a secure environment.

This communication is also stored only on organisationally owned infrastructure and logged in an audit trail for later investigation, as and when necessary.

Moving contact to a closed network will also reduce the capacity for phishing or social engineering, as only known or knowable contacts can communicate inside the network, locking out bad actors.

Digital profile concept art
Carlo Reveruzzi

Carlo Reveruzzi
Director

By supporting major healthcare networks across Australia, Carlo helps them identify potential security risks in information transmission. This helps Ikonix Technology develop secure, resilient communication platforms for modern healthcare.