Two Queensland medical practices have been named on ransomware leak sites in separate alleged cyber incidents, underscoring ongoing cyber risk exposure for Australian healthcare providers and their insurers.
Cyber Daily has reported that data listed by the SafePay ransomware group appears to relate to Hyperdome Doctors and Skin Clinic, a medical centre in Loganholme, Queensland. The practice has operated since 2000 and describes itself as “providing high quality, comprehensive care to all families and individuals in our community.”
SafePay’s dark web site initially identified a different business – Hyperdome Medical Centre in the Australian Capital Territory – as the victim. That ACT practice subsequently told Cyber Daily it was not the organisation affected. Cyber Daily’s review of the material posted by the threat actors suggests that the listing instead concerns Hyperdome Doctors and Skin Clinic, indicating a possible misnaming by the group. The data advertised by SafePay has not been independently verified. According to Cyber Daily, the sample set appears to include information about practitioners, internal documents, and other files allegedly drawn from the Queensland practice. Hyperdome Doctors and Skin Clinic had not publicly commented at the time of reporting.
In a separate development, Harbour Town Doctors, based in Biggera Waters on the Gold Coast, has been listed as a victim by the Rhysida ransomware group, according to Cyber Daily’s report. Rhysida posted about the incident on Dec. 11, publishing several low-resolution images of what it claims are documents taken from the clinic. Some images appear to show documents on Harbour Town Doctors’ letterhead, patient health summaries, medical record transfer paperwork, and what seem to be pathology-related records.
SafePay is a comparatively recent entrant to the ransomware landscape, with activity first observed in October 2024. The group has claimed intrusions affecting organisations in Australia and multiple overseas jurisdictions, including the UK, the US, Italy, New Zealand, Canada, Belgium, Brazil, Germany, Barbados, and Argentina. Unlike affiliate models used by some other groups, SafePay states that it does not operate as a ransomware-as-a-service (RaaS) platform. On its leak site, the group said: “SafePay ransomware has never provided and does not provide the RaaS.”
Rhysida operates under a different model. It is described as a ransomware-as-a-service operation that has claimed more than 250 victims globally since it was first observed in mid-2023. Open-source reporting indicates the group is financially motivated and uses Russian in some of its online communications.
In the Harbour Town Doctors case, Rhysida initially set a seven-day deadline and is now offering the alleged dataset for sale for five bitcoin, estimated at around $137,000 based on recent exchange rates. In its leak post, the group appeals to potential buyers. “With just seven days on the clock, seize the opportunity to bid on exclusive, unique, and impressive data,” the group said. It added: “Open your wallets and be ready to buy exclusive data. We sell only to one hand; no reselling. You will be the only owner!” The structure of the offer means either the original data owner or any third party can purchase the dataset, creating potential secondary exposure for patients, staff, and counterparties and complicating risk, liability, and remediation strategies.
The incidents involving Hyperdome and Harbour Town are emerging against a backdrop of elevated ransomware and cyber activity in Australia and New Zealand. Research from Opentext Cybersecurity suggests that 40% of Australian organisations experienced at least one ransomware event over the past 12 months, and almost half of those were targeted multiple times. Approximately one in three victim organisations chose to pay a ransom, and 41% of those payments were above US$250,000.
Separate survey findings from Arctic Wolf indicate that 85% of organisations across Australia and New Zealand reported at least one cyber incident over a similar period, compared with a global average of 76%. In that survey, nearly three-quarters of businesses in the region reported paying ransoms to prevent data leaks. A reported 91% of those organisations used external negotiators, but fewer than half secured a reduction in the initial ransom demand.
For the insurance market, these data points and the emerging healthcare cases in Queensland may influence pricing, capacity, and terms in cyber and technology lines, particularly for sectors that manage large volumes of personal and health information. Insurers and brokers are likely to continue emphasising pre-bind risk assessments, minimum control requirements, and post-incident services, as the frequency and impact of ransomware activity remain key drivers of loss experience in the region.
