We are writing to inform you that we have become aware of a data breach suffered by our IT
service providers, Auspacific Computer Express Pty Ltd trading as Auswide Corporate and
Aggregate IT Pty. Ltd. trading as Auswide Services IT (collectively the IT Provider) sometime
between 29 September 2023 and 10 October 2023 inclusive. Our IT Provider supplies endto-end services for our IT network and infrastructure, including managing the storage of
personal information on our behalf.

Based upon the information available to us, we have reason to believe that some personal
information of some of our patients of PartridgeGP, including you, has been accessed by
BianLian, a known cybercriminal group (Hacker).

We have inquired with our IT Provider to understand, as best we can, the circumstances
surrounding this data breach. This notice provides you with details of:

(a) the data breach that has occurred (What happened?)

(b) the kinds of personal information concerned (What was accessed?)

(c) the steps we recommend you take in response to the data breach (What can I do?)

1. What happened?

Based on the information available to us, we believe that:

1.1 on 29 September 2023 at 6:30am (ACDT), our IT Provider became aware of a
security vulnerability in the IT infrastructure which it uses to host its customers’
data, including the personal information of PartridgeGP’s patients (First
Incident). Upon becoming aware of the vulnerability, our IT Provider revoked
PartridgeGP’s access permissions to its hosting environment and suspended
hosting services to our office, whilst it commenced an immediate internal
investigation. At the time, and subsequently on 4 October 2023, PartridgeGP
was advised that:

(a) there was no reason to believe that its data (including the personal
information of its patients) had been accessed, lost or otherwise

(b) the Australian Signals Directorate – Australian Cybersecurity Centre
(ACSC) and South Australian Police were advised of the vulnerability;

(c) the ACSC conducted a risk assessment which determined that there was
no risk to any persons or critical infrastructure; and

(d) Auswide undertook various remedial and proactive measures to bolster
its security,

in connection with the First Incident.

1.2 On 10 October 2023, we received an email sent from the email address of one
of our doctors. However, it was apparent that the email was created and sent
by an unidentified third party, which we now believe to be the Hacker. The
email attached a file which the Hacker claimed to have been taken from our
network. The Hacker indicated that PartridgeGP should contact them to
resolve the matter (Second Incident). The Hacker did not seek any ransom
from us for the return of the file, nor was there any explicit threat to use or
release the file, whether publicly or to any third parties.

1.3 We did not contact the Hacker. Instead, we (amongst other matters):

(a) immediately sent the file to our IT Provider to be ‘sandboxed’ (i.e. placed
in an isolated environment), so that its content could be confirmed and to
check that it was free from other malicious code and software viruses;

(b) notified Auswide that same day of the Second Incident. Auswide
contacted the South Australian Police and the ACSC to report the Second

(c) changed the passwords to our various online portals or databases;

(d) ensured that emails to patients were sent through Best Practice medical
software, which utilises encryption technology;

(e) reset the passwords for the email accounts of all of our PartridgeGP

(f) implemented two-factor authentication for our Facebook page; and

(g) reminded staff to remain diligent when opening emails and attachments,
with anything suspicious to be forwarded to Auswide.

1.4 Following ongoing, priority requests to our IT Provider for further information,
on 1 November 2023, we were advised of the following preventative and
remediation measures undertaken by Auswide or its appointed contractors, on
behalf of customers which included PartridgeGP:

(a) on 29 September 2023:

(i) temporarily suspending all access to the infrastructure, revoking all
access permissions and halting all services;

(ii) disabling the compromised account;

(iii) installing a host based security program to assist in analysing and
tracking any malicious activity;

(iv) implementing a more secure password policy for its hosted infrastructure

(v) forcing a user account reset for all customer user accounts, including that
of PartridgeGP;

(vi) continuing to investigate systems and logs, scanning for malicious
software or other indicators of compromise;

(vii) analysing network traffic to determine spikes in usage and attacker
uploads of data;

(viii) reviewing its firewall rules and enabling geo-blocking, so that only
Australian IP addresses could access the infrastructure;

(b) on 30 September 2023, further securing its system back-ups, with incremental
backups being undertaken hourly;

(c) on 2 October 2023:

(i) continuing to secure infrastructure and computer systems;

(ii) analysing logs and indicators of compromise on systems identified as
being accessed by a Hacker;

(iii) systems confirmed as being used by the Hacker were analysed, shut
down and disabled;

(iv) the Australian Signals Directorate was contacted and the incident was
reported as a cybercrime;

(v) the Department of Home Affairs and the Cyber and Infrastructure Security
Centre (CISC) were contacted for additional information, security advice
and support;

(d) on 3 October 2023:

(i) the South Australian Police (SAPOL) were contacted and the incident
reported as a cybercrime. Details of the Hacker, threats and their alleged
claim details were shared with SAPOL;

(ii) meeting with Cecuri to discuss the incident and recommendations to
move forward;

(e) on 5 October 2023, securing a port exposure, to rectify a potential external
network configuration issue identified by Cecuri;

(f) on 6 October 2023, shutting down Citrix hosted infrastructure and networking,
with isolation of the network access;

(g) on 7 October 2023:

(i) contacting Citrix’s support centre, to enquire about the addition of a
compensating control to secure a vulnerability identified in its network and
to better secure the Citrix portal with multi-factor authentication;

(ii) recreating the Active Directory servers;

(iii) securing password policies with greater complexity and resetting
customer user passwords;

(iv) blocking firewall traffic, except for known customer IP endpoints;

(v) restricting networking and providing limited customer functionality;

(vi) securing the Citrix hosted environment with multi-factor authentication;

(vii) conducting ongoing scanning of internal and external infrastructure and
monitoring for indicators of compromise;

(viii) hardening firewall rules and network traffic restrictions were added;

(h) on 8 October 2023, resetting user account passwords, so that users were
required to reset to longer and more complex passwords on first logon;

(i) on 10 October 2023:

(i) rolling out an ESET endpoint detection and response solution on the
hosted Citrix IT infrastructure to enhance malware protection, visibility
and management of each endpoint; and

(ii) consulting with external security experts for additional advice on detection
and response protection;

(j) on 12 October 2023, applying a patch released by Citrix for the vulnerability
identified in its infrastructure.

1.5 Following ongoing, priority follow ups with our IT Provider, the sandboxed file was
provided to us late on 3 November 2023 with confirmation that it could be opened as
a safe file (free of malicious code) on 7 November 2023. Upon accessing the file, we
noted that it contained some personal information of some patients of PartridgeGP.

2. What was accessed?

2.1 Based on our current information, we believe the Hacker has accessed the
following personal information of some of our PartridgeGP patients:

(a) our internal ID number assigned to the patient;

(b) age;

(c) dates of birth;

(d) Department of Veterans’ Affairs numbers;

(e) email addresses;

(f) genders;

(g) Medicare card numbers, reference number and expiry dates;
(h) names;

(i) pension card numbers;

(j) postal and street addresses; and

(k) telephone numbers (landline, mobile and work).

Not all of the abovementioned information will have been accessed in relation
to you. For further information about your specific personal information that was
impacted, please contact our office via or by
calling 08 8295 3200 where a message will be taken for our Support Team to
return your call.

3. What can I do?

3.1 We acknowledge and apologise for the distress this data breach may cause

At this stage, we have no information which suggests that the accessed
information has been released by the Hacker on the ‘dark web’. The dark web
is a closed online network, often accessed for criminal purposes. However, as
a further precaution, we strongly advise that you consider taking the
precautions outlined below, in order to safeguard your online identity and to
obtain support for any distress this data breach may have caused you:

(a) contacting Services Australia on 132 011. They can assist you with:

(i) getting a replacement Medicare card, which will have a new
number and expiry date. This means your old card will no longer
be valid;

(ii) adding a secret password to your Medicare records. This will
provide an extra level of authentication;

(iii) locking access to your online Medicare account, the Express
Plus mobile apps or phone self-service functionality; and

(iv) cancelling your Medicare online account and Express Plus
mobile apps;

(b) checking for suspicious activity on your myGov account. The myGov
website can show you how to view your myGov account history. If you
find anything suspicious, you can call Services Australia’s Scams and
Identity Theft Help Desk on 1800 941 126;

(c) asking for a credit report from agencies such as Equifax, illion and
Experian, to see whether someone has attempted to get credit in your
name. Further information on how to do this is available at:;

(d) calling the Australian Cyber Security Hotline on 1300 292 371. This is
run by the Australian Cyber Security Centre (a Commonwealth
government agency), whose website at also
contains useful tips to protect yourself, whether online or with your

(e) calling ID Care on 1800 595 160. ID Care is a not-for-profit organisation
which helps people with identity and cybersecurity concerns, and their
website at also contains useful tips on how you
can further protect yourself against scams, fake texts and phishing

(f) visiting the website of the Office of the Australian Information
Commissioner, for helpful ‘Data breach support and resources’
(including links to mental health support services);

(g) maintaining vigilance for suspicious texts, emails or phone calls you
may receive, including by:

• being alert for any phishing scams that may come to you by phone, post or email;

• carefully reviewing any communications you receive to ensure
they are legitimate;

• being careful when opening or responding to texts from unknown or suspicious numbers; and

• regularly updating your passwords with ‘strong’ passwords, not reusing passwords and activating multi-factor authentication on any online accounts, where available;

(h) contacting any of Beyond Blue (see or call 1300 22
4636) or Lifeline (see or call 13 11 44) for
support, if this data breach has caused you distress.

Yours faithfully

Management Team