Gallagher is warning that Australian healthcare organisations remain exposed to sustained cyber risk as threat actors continue to target high‑value health data and technology‑reliant clinical operations. In an insight article, Gallagher reported that Australian health service providers lodged more than 200 data breach notifications over a recent 12‑month period, underlining the sector’s continued exposure to cyber incidents. Cyber events are estimated to occur nationally about every six minutes and are described as a leading concern for businesses.
Legal and regulatory requirements are adding to the pressure on boards and executives. Under privacy and data protection laws, organisations that fail to adequately safeguard personal information can face civil penalties of up to $50 million. For hospitals, clinics, and allied health providers, that scale of potential liability is influencing risk appetite, governance expectations, and interest in cyber cover. Robyn Adcock, Gallagher national placement manager for cyber and technology, said the combination of cyber threats and compliance obligations is reshaping the way health entities view risk. “When an industry sector is targeted by both cyber attackers and security regulations, taking a proactive approach to risk management, minimisation, and containment is absolutely critical,” Adcock said.
Healthcare data sets typically bring together detailed clinical records, Medicare and private health insurance information, contact details, and payment data. As this information is created, stored, and shared via electronic health record platforms, telehealth systems, cloud‑based practice management tools, and internet‑connected medical devices, the number of possible access points for attackers increases. Gallagher notes that threat actors may encrypt systems and demand ransom, threaten to release patient information, or use both approaches in a single incident. Unauthorised access to patient or staff data can lead to privacy investigations, regulatory enforcement action, individual claims, class actions, and contractual disputes with funders and suppliers.
Service continuity is a parallel concern for providers. Ransomware and other malware can interrupt access to clinical applications, diagnostic systems, scheduling platforms, and administrative tools, forcing staff to revert to manual workarounds. Misconfigurations or failures in connected medical devices and related infrastructure can also create safety and liability exposures that may result in insurance claims or regulatory scrutiny.
Within this environment, Gallagher points to six main categories of cyber risk for healthcare organisations:
Gallagher notes that where organisations do not have clear governance arrangements, defined incident response plans, and appropriate technical and procedural controls, directors and officers may face legal, regulatory, and reputational consequences after a major incident.
A case study cited by Gallagher describes a private healthcare clinic that experienced a cyberattack in which hackers threatened to publish stolen patient data on a public website unless a ransom exceeding $20,000 in bitcoin was paid. The clinic notified its cyber insurer and accessed the incident response services attached to its policy. IT forensic specialists were engaged and determined that information relating to around 3,000 patients had been accessed, but that sensitive medical details had not been compromised.
Following advice from a crisis communications consultant, the clinic chose to notify affected patients and did not pay the ransom. The organisation did not receive further contact from the attackers. The cyber policy responded to the costs of the forensic work and communications support, subject to a deductible. For insurers, brokers, and risk managers, the example shows how the availability of forensic, legal, and communications advisers can affect the duration, cost, and reputational impact of a cyber event.
Data from the Office of the Australian Information Commissioner (OAIC) provides broader context for Gallagher’s assessment of cyber exposure. In its notifiable data breach report for January to June 2025, the OAIC recorded 532 notifications, about 10% fewer than in the previous six‑month period, which reached a record level. Despite the decline, the regulator notes that breach volumes remain high and that notifications have tended to increase in the second half of the year. Malicious or criminal attacks accounted for 59% of notifications (308 incidents), with cyber security incidents the predominant type of event in this category. On average, just over 10,000 individuals were affected per cyber incident in the first half of 2025, illustrating the potential scale of individual‑level impact.
The health sector had the largest share of reported breaches at 18% of all notifications, followed by the finance sector at 14% and Australian government agencies at 13%. Incidents attributed to human error rose to 37% of total notifications (193 breaches), up from 29% in the previous reporting period. According to the OAIC, this pattern indicates that staff practices and processes remain a significant factor in information security, even where technical controls are in place.
Gallagher describes cyber insurance as one component of a broader approach to managing cyber and privacy risks in the health sector. In the Australian market, many cyber policies provide cover for breach response costs, around‑the‑clock incident hotlines, coordination of external advisers, IT forensic services, legal advice on privacy and regulatory issues, and crisis management and customer notification activities. The broker says healthcare organisations are increasingly expected to have a documented and tested incident response plan, clearly defined roles and responsibilities, and regular staff training on phishing, data handling, and escalation processes. For insurance professionals, the mix of sensitive personal data, reliance on digital systems, and active regulatory enforcement is influencing underwriting, pricing, risk selection, and advisory work in the health segment. These developments are prompting insurers and intermediaries to assess clients’ cyber controls in more detail, including third‑party and vendor management, board oversight, incident readiness, and post‑incident review processes, as cyber risk remains a significant exposure for healthcare insureds.
