🔒breach.co.nz · the NZ & Australia breach register 🛡️ A Govern service
Register › 🇦🇺 AU › Healthcare
Advertising
Your brand, in front of the right people
Run-of-site leaderboard — every ad-supported page across the register.
Enquire → breach@govern.co.nz

Ochre Health (Tuggeranong)

🇦🇺 Canberra, ACT · Ochre Health (Ochre Medical Centre Tuggeranong) · Record AU-2026-0060
○ Reported — awaiting official confirmation
Reported — awaiting official confirmation. The facts below are drawn from the organisation's own disclosure and credible reporting. Figures are as reported; unknowns are labelled, not estimated by us.
People affected
Not disclosed
Breach date
2026-06
Regulator
OAIC and ACSC (notified)
Trust tier
B · Reported

Data exposed

Unauthorised access via two compromised accounts on the HotDoc third-party booking platform (Tuggeranong clinic) Company-confirmed
Reported to include names, dates of birth, addresses, emails, phone numbers, Medicare numbers, DVA numbers, appointment details and billing information Media-reported

Confidence: Confirmed = regulator/court · Company-confirmed = the organisation's own disclosure · Media-reported = press. Figures without an official source are labelled, not estimated.

What happened

In June 2026 Ochre Health confirmed it was investigating claims that patient data from its Ochre Medical Centre Tuggeranong clinic in Canberra had been accessed [och-ochre]. The company said the access occurred through two user accounts on HotDoc, a third-party appointment-booking platform, and that it was working to verify what specific information had been affected [och-ochre]. Media reporting, drawing on a threat actor’s listing, described the exposed data as including names, dates of birth, addresses, emails, phone numbers, Medicare numbers, DVA numbers, appointment details and billing information [och-cyberdaily], [och-canberratimes].

Timeline

  • 2026-06 — Media reported patient data from the Tuggeranong clinic circulating online [och-cyberdaily].
  • 2026-06 — Ochre Health published a statement confirming unauthorised access via two HotDoc accounts and notification of the OAIC and ACSC [och-ochre].

Current status

Investigating. Ochre confirmed the unauthorised access and that it had notified the Office of the Australian Information Commissioner and the Australian Cyber Security Centre [och-ochre]. Media reporting put the Tuggeranong dataset at around 25,000 patients, but Ochre had not confirmed that number or the full list of affected fields at the time of its statement — so those figures are reported here as claims, and no count is asserted [och-cyberdaily], [och-ochre].

Why it matters

A GP clinic’s records hold Medicare and DVA identifiers alongside health and billing data — a combination that is valuable for identity and Medicare fraud — and this incident again turns on a compromised third-party platform rather than the clinic’s own systems.

GGOVERN Tabletop Exercises · Govern house When ransomware hits the ward, will your team know the call? Book a Discovery Call →