What happened
In June 2026 Ochre Health confirmed it was investigating claims that patient data from its Ochre Medical Centre Tuggeranong clinic in Canberra had been accessed [och-ochre]. The company said the access occurred through two user accounts on HotDoc, a third-party appointment-booking platform, and that it was working to verify what specific information had been affected [och-ochre]. Media reporting, drawing on a threat actor’s listing, described the exposed data as including names, dates of birth, addresses, emails, phone numbers, Medicare numbers, DVA numbers, appointment details and billing information [och-cyberdaily], [och-canberratimes].
Timeline
- 2026-06 — Media reported patient data from the Tuggeranong clinic circulating online [och-cyberdaily].
- 2026-06 — Ochre Health published a statement confirming unauthorised access via two HotDoc accounts and notification of the OAIC and ACSC [och-ochre].
Current status
Investigating. Ochre confirmed the unauthorised access and that it had notified the Office of the Australian Information Commissioner and the Australian Cyber Security Centre [och-ochre]. Media reporting put the Tuggeranong dataset at around 25,000 patients, but Ochre had not confirmed that number or the full list of affected fields at the time of its statement — so those figures are reported here as claims, and no count is asserted [och-cyberdaily], [och-ochre].
Why it matters
A GP clinic’s records hold Medicare and DVA identifiers alongside health and billing data — a combination that is valuable for identity and Medicare fraud — and this incident again turns on a compromised third-party platform rather than the clinic’s own systems.