As the aged care sector continues to embrace technological innovation the risk and regularity of cyber-attacks increase.
In the CyberCX Diagnosing Cyber Threats in Healthcare 2025 report, non-hospital clinical service providers – which includes aged care – were the most targeted healthcare sub-sector, facing 10 times more publicly claimed attacks compared to hospitals, the next most targeted sub-sector.
This is of particular concern given the sensitive and personal nature of the data being exposed, with the most prevalent attack type on the sub-sector being cyber extortion – the threat or action of publishing personal and sensitive information online.
High risk for the sector was also a key finding of the Not-for-Profit Governance & Performance Study 2024-25, which found the aged care sector had the second-highest proportion of reported cyber incidents, sitting just under social services but higher than education and research.
Potential safeguards
The Not-for-Profit Governance & Performance Study report noted that smaller NFPs have less resources to defend against such attacks and suggested looking at collaboration or shared services as a means of protecting themselves without prohibitive costs. This is a tactic regional provider Whiddon can attest to being beneficial.
At the ITAC 2025 conference this month Whiddon chief infrastructure officer Regan Stathers told the audience how the not-for-profit aged care provider fell victim to a cyber attack. Upon realising they had under estimated their cyber security system Mr Stathers said they didn’t want to “waste a crisis,” and got straight into addressing the breach.
Mr Stathers said the Whiddon team focused heavily on developing multi-factor authentication, cloud enablement and digital literacy as tools to enhance their cyber security.
However, he also noted that Whiddon did not have a large tech team or the ability to funnel all their resources into one and were reliant on having good partners.
Cyber CX also included recommendations on how organisations can avoid cyber breaches, including:
- invest in a virtual chief information security officer
- deploy a phishing simulation and education program
- complete a compliance audit and conduct a review of privilege access management controls
- map technical connections to third parties and define dependencies
- map attack surface and conduct regular penetration testing
- review obligations mapped to key controls or pathways
- develop a data classification, storage, and decommissioning map of medical and corporate data
- undertake multi-level tabletop exercises
- invest in effective back-ups
- implement network segregation.
Australian Institute of Company Directors not-for-profit lead Phil Butler said that the Not-for-Profit Governance & Performance Study showed that despite continued uncertainty, governance maturity is strengthening and organisations are proactively addressing key risks.
“However, the rising threat of cyberattacks, especially for organisations handling sensitive client data, remains a significant concern that demands continuous attention from boards,” Mr Butler told Australian Ageing Agenda.
“As the risks associated with climate change, cyber threats, and AI continue to evolve, it’s crucial for NFP directors to foster a proactive governance culture that addresses these challenges head-on.
“As governance expectations grow, the AICD remains committed to equipping NFP directors with the skills and resources needed to lead effectively.”
Comment on the story below. Follow Australian Ageing Agenda on LinkedIn and Facebook, sign up to our twice-weekly newsletter and subscribe to AAA magazine for the complete aged care picture.