Point Lonsdale Medical Group

Summary

Point Lonsdale Medical Group, a Victorian medical centre, suffered a cyber attack in October 2025 when its reception and administration email account was subject to unauthorised access following a phishing campaign. A small number of emails containing patient information including names, dates of birth, addresses, medical histories, diagnosis and treatment plans, Medicare card numbers, and health fund details were accessed. The patient database and other systems were not affected.

What Happened

In October 2025, Point Lonsdale Medical Group's reception and administration email account was compromised through a phishing attack. The compromised account was used to send phishing emails to others. External forensics experts investigated and determined that a small number of emails contained in the mailbox were accessed by the unauthorised party. The emails typically contained referrals, health summaries, and treatment plans.

Impact on Individuals

A small number of patients had their personal health information accessed through the compromised email account. The potentially compromised information included names, dates of birth, addresses, medical histories, diagnoses, treatment plans, Medicare card numbers, and health fund details. The medical centre confirmed that the patient database and other systems were not impacted by the breach.

Organisational Response

Point Lonsdale Medical Group undertook immediate containment and remediation actions upon discovering the breach. The practice notified recipients of the phishing emails, advising them not to interact with those messages. PLMG engaged external forensic experts to investigate the scope of the breach and established a dedicated email address ([email protected]) for patient enquiries about the incident.