I've had the same conversation roughly forty times in the past decade.

I'm sitting across the table from a practice manager, or a specialist clinic owner, or a board member of a mid-size allied health group. I've just walked them through their risk exposure. And eventually, without fail, someone says some version of: “But we're a small practice. Who would bother with us?”

I understand the logic. The headlines go to Medibank. To MediSecure. To the big targets with the big patient databases. Small practices feel like background noise.

Here's the problem with that logic. The data doesn't support it.

What the numbers actually show

The Office of the Australian Information Commissioner has been publishing Notifiable Data Breaches statistics since 2018. Every six months, a new report lands. Every six months, the same sector sits at the top of the table.

Healthcare.

Not occasionally. Not in the years when there was a big headline incident. Every single reporting period.

In the second half of 2024, the OAIC received 595 data breach notifications — a 15% increase on the previous six months. The health sector accounted for 20% of those notifications, the highest of any sector.

In the first half of 2025, the pattern held. The health sector led again, representing 18% of all reported breaches, ahead of finance at 14% and Australian Government agencies at 13%.

Zoom out to the full calendar year, and the picture is worse. In 2024, a total of 1,113 data breaches were reported to the OAIC — the highest annual figure since the NDB scheme began in 2018, representing a 25% increase on 2023. Health service providers topped the sector list, accounting for 22% of all breach notifications.

These numbers are not driven exclusively by high-profile incidents like MediSecure, where a ransomware attack in April 2024 resulted in a breach impacting approximately 12.9 million Australians, releasing sensitive personal and health information to the dark web for sale.

The bulk of healthcare breaches involve organisations you have never heard of. Specialist clinics. Dental practices. Allied health groups. Aged care providers. And, increasingly, small private practices.

The attack vectors are not sophisticated

This is the part that matters most for a resource-constrained practice.

The assumption is that healthcare breaches happen because nation-state actors or elite ransomware groups target large, complex infrastructure. Some do. But the most common causes of cyber incidents in 2024 were phishing (30%), compromised or stolen credentials (27%), and ransomware (24%).

Phishing. Stolen passwords. Ransomware. None of these require a sophisticated target. None of these require a large organisation. They require an unlocked door — and small practices have plenty of those.

Human error accounted for 37% of all data breaches in the first half of 2025 — up significantly from prior periods. Mis-sent email was among the leading causes.

Staff forwarding a patient file to the wrong address. A reception login credential reused across personal and work accounts. An unpatched practice management system running on a Windows server from 2018. These are not abstract risks. I have seen each of them in practices that later called me after an incident.

The attack surface in healthcare is not just large — it is poorly defended, and the sector has been loudly advertising that fact through seven years of breach data.

The specific targeting of smaller providers is intensifying

The trend line is not improving. Ransomware attacks on Australian healthcare providers increased by 60% from 2024 to 2025, making Australia one of the fastest-growing targets globally for healthcare-sector ransomware.

The incidents hitting the breach register are not limited to large providers. Recent examples include a Sydney medical practice targeted by INC Ransom ransomware, a Tasmanian aged care and disability not-for-profit hit by Lynx ransomware, and Smile Team Orthodontics, where hackers published stolen data including staff details, addresses, and patient payment plans to the dark web.

An orthodontic practice. Not a hospital. Not an insurance company.

Your patients do not distinguish between “significant” healthcare providers and “small” ones when it comes to the sensitivity of their information. A diagnosis, a prescription, a referral letter, a Medicare number — these have real black-market value and real harm potential regardless of the size of the practice that held them.

The Privacy Act has changed the stakes

Before October 2024, a small practice could argue it was exempt from the NDB scheme on turnover grounds. That argument is now significantly harder to sustain.

The Privacy and Other Legislation Amendment Act 2024 — the first tranche of substantive Privacy Act reform in thirty years — tightened the regime. The small business exemption has not yet been fully removed, but the trajectory is clear. Regulators have stated publicly that further reform is coming. The OAIC has been escalating its enforcement posture.

More practically: even if a practice currently sits below mandatory reporting thresholds, a data breach involving health information triggers serious harm considerations that are not threshold-dependent. The obligation to protect patient health information exists regardless of turnover. The Privacy Act has always applied to private sector health service providers, regardless of size.

The fine regime has also changed materially. Serious or repeated interferences now attract penalties up to $50 million, or three times the benefit obtained, or 30% of adjusted turnover — whichever is greater. The era of administrative slaps is ending.

What I actually recommend

The good news is that the interventions that would have prevented most of the breaches in the OAIC data are not expensive or technically complex. They are consistently absent — which is a governance problem, not a technology problem.

For a private practice, the foundation looks like this:

Multi-factor authentication on every account that holds patient data. This single control would have prevented a significant proportion of the credential-based breaches in the NDB data. It costs nothing to implement and takes an afternoon to deploy.
An email and attachment handling policy. Most small-practice data breaches involve email — either a phishing compromise or a misdirected attachment. A one-page policy, staff training, and email filtering would address the majority of these.
Patch and software currency. Legacy practice management systems and unpatched operating systems are the entry point for ransomware in healthcare. An annual audit of software currency is not a complex exercise.
A documented data breach response plan. When a breach occurs — and statistically, your sector's track record suggests “when” rather than “if” — you have 30 days to notify the OAIC from when you become aware. Most small practices have no documented response procedure. That gap is expensive.
A clear asset register and data inventory. You cannot protect what you do not know you hold. Most small practices cannot accurately answer the question: what patient data do we hold, where does it live, and who can access it?

None of this requires a six-figure security programme. It requires clear thinking, documented processes, and someone whose job it is to make sure the basics are in place.

The question worth asking

Your patients chose you. In healthcare, that choice involves a degree of trust that is genuinely personal. They are sharing information with you that they would not share with most people in their lives.

The question is not whether you are large enough to be a target. The data has been answering that question for seven years, and the answer has not changed.

The question is whether your current security posture reflects the level of trust your patients have placed in you.

If you are not sure, that uncertainty is itself the answer.

Daniel Johns is a CRISC-certified virtual CISO and GRC advisor, Founder of Coastal Cyber, and a member of the ISACA Global Advisory Council and CompTIA Executive Council ANZ. He works with healthcare providers, financial services firms, and technology businesses across Southeast Queensland on privacy, cyber security, and governance.

If your privacy and cyber posture needs a clear-eyed assessment, book a 20-minute conversation.