TL;DR

  • Aged care providers hold extraordinarily sensitive data: medical histories, cognitive assessments, financial enduring power of attorney, medication records, personal care notes, and family contact information — all in a single breach footprint.
  • The Aged Care Act 2024 creates new accountability: From 1 July 2024, the Act imposes strengthened quality standards including explicit requirements for technology and cyber security governance. Boards, not just IT teams, are personally accountable.
  • Respect aged-care breach (2024) confirmed the sector is actively targeted: Tasmanian aged-care provider Respect was targeted by ransomware actors in October 2024, with data allegedly published on the dark web — demonstrating that even regional and mid-sized providers are not safe.
  • Staff are the primary vulnerability: High workforce turnover, a significant proportion of non-technical staff, and overworked care managers create fertile ground for phishing, credential theft, and social engineering attacks.

Why Aged Care Businesses Are Cybersecurity Targets

Australian aged care providers sit at a uniquely dangerous intersection: they hold health data (which attracts the same regulatory protections as hospitals), financial data (including power-of-attorney and estate management records), and personal care data of some of the most vulnerable people in our society. This combination of data richness, regulatory sensitivity, and historically under-resourced IT infrastructure makes aged care providers prime ransomware targets. According to the Aged Care Quality and Safety Commission's (ACQSC) Technology and Cyber Security topic guide, providers must comply with both the Aged Care Act 2024 and the Privacy Act 1988 when handling resident data. Grant Thornton Australia's analysi

s of the Aged Care Act 2024 noted that "privacy and cyber obligations start Day 1 of any acquisition, governance failures will be scrutinised, and accountability cannot be outsourced." In October 2024, Cyber Daily reported that threat actors had allegedly exfiltrated and published data from Respect, a Tasmanian aged-care organisation — confirming that regional providers, not just national chains, are being targeted. Health and aged-care services collectively account for 18–20% of all Notifiable Data Breach reports to the OAIC, with the sector consistently ranking as the most breached in Australia (OAIC, 2025). The average Australian data breach costs AUD $4.26 million (IBM, 2024) — a figure that would threaten the viability of most small-to-medium aged care operators.​‌‌​​​‌‌‍​‌‌‌‌​​‌‍​‌‌​​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​​‌‌‌‍​‌‌​​‌​‌‍​‌‌​​‌​​‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌

The Top 3 Cybersecurity Threats for Aged Care

1. Ransomware Targeting Care Management Systems

Aged care providers operate residential facilities and home care services around the clock — which means a ransomware attack that takes down care management systems (AlayaCare, Person Centred Software, Nourish, iCare, etc.) creates immediate resident safety risks, not just business disruption. Carers cannot access medication schedules, dietary requirements, fall risk assessments, or emergency contacts. Residential facility operators have legal obligations under the Aged Care Act 2024 to maintain continuity of care — a ransomware attack that prevents this can trigger regulatory investigations by the ACQSC in addition to OAIC privacy proceedings. The "double extortion" model used by modern ransomware groups — where data is both encrypted and threatened to be published — is especially damaging in aged care because leaked resident records expose the provider to simultaneous regulatory, reputational, and family-level consequences. The ASD's Annual Cyber Threat Report 2024–2025 confirms that ransomware and data extortion remain among the most damaging cybercrime types targeting critical infrastructure sectors — and aged care is increasingly treated as critical social infrastructure.

2. Phishing and Social Engineering Targeting Care Staff

The aged care workforce is characterised by high staff turnover, a significant proportion of workers with limited IT background, long and demanding shifts, and multiple concurrent responsibilities that create cognitive load and reduce vigilance. These conditions make care staff highly susceptible to phishing attacks. Attackers have been observed sending fake payroll notification emails, fake rostering system alerts, and even fake messages impersonating the Australian Government's My Aged Care portal to steal staff credentials. Once a care worker's email or care management system credentials are compromised, attackers can access resident records, financial information, and administrative systems. IBM's 2024 Cost of a Data Breach Report identifies phishing and stolen credentials as Australia's top two attack vectors. In aged care, phishing training must be practical, accessible, and delivered in formats suitable for a non-technical workforce — short videos, supervisor-led briefings, and simple "if in doubt, call IT" protocols are more effective than lengthy e-learning modules.​‌‌​​​‌‌‍​‌‌‌‌​​‌‍​‌‌​​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​​‌‌‌‍​‌‌​​‌​‌‍​‌‌​​‌​​‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌

3. Endpoint and Device Security in Distributed Care Environments

Home care and community care services are particularly vulnerable because carers use personal smartphones, tablets, or employer-issued devices in residents' homes, in transit, and in facility common areas. These devices access care management portals, shared resident records, and sometimes facility Wi-Fi networks with weak security configurations. Lost or stolen devices containing unencrypted care records are a significant NDB trigger — and unlike corporate offices, aged care providers cannot physically control the environments where their devices and data are used. Mobile Device Management (MDM) solutions are essential but often not deployed by smaller providers. Community care workers who use personal devices for care management apps create a "Bring Your Own Device" (BYOD) problem that exposes resident data to the security posture of the worker's personal phone — which may not be patched, may be shared with family members, or may already be compromised.

Compliance Requirements for Aged Care

Aged care providers in Australia operate under one of the most demanding regulatory frameworks of any SMB sector:

Aged Care Act 2024 (Cth) — Strengthened Quality Standards The Aged Care Act 2024 (effective 1 July 2024) introduced strengthened quality standards that explicitly address technology and cyber security. The ACQSC's Technology and Cyber Security topic guide states that providers must have systems and processes to protect residents' personal information and manage cyber security risks. Governance failures — including inadequate cyber security — can result in sanctions, loss of accreditation, and civil penalties. Boards of incorporated aged care providers are personally accountable for cyber governance under the Act.

Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs) Aged care providers are not covered by the small business exemption — they handle health information, which is classified as sensitive information under the Privacy Act and triggers full APP obligations regardless of size. APP 11 requires "reasonable steps" to protect health information from interference, loss, and unauthorised access. The Privacy and Other Legislation Amendment Act 2024 (effective 11 December 2024) significantly strengthened OAIC enforcement powers, with civil penalties for serious breaches up to AUD $50 million.

Notifiable Data Breaches (NDB) Scheme Any eligible data breach — defined as unauthorised access to or disclosure of personal information that is likely to result in serious harm — must be reported to the OAIC and affected individuals as soon as practicable and within 30 days. Resident health and financial information meets the "serious harm" test easily, meaning virtually any breach of a care management system triggers mandatory notification.

My Aged Care (MAC) System Security Providers registered with the My Aged Care system have specific obligations regarding how they access, handle, and protect client information obtained through the MAC system. The Australian Digital Health Agency and Department of Health and Aged Care require registered providers to maintain access controls and audit capabilities for MAC data.

Cyber Security Act 2024 From 30 May 2025, aged care operators with annual turnover above AUD $3 million must report ransomware payments to the ASD within 72 hours. Large residential aged care providers may also be assessed as critical infrastructure under the Security of Critical Infrastructure Act 2018, creating additional reporting and security obligations.

Aged Care Quality and Safety Commission (ACQSC) Expectations The ACQSC conducts assessments of providers under the strengthened standards. Cyber security is now explicitly part of the governance and management domain assessed during provider audits. Providers are expected to demonstrate documented cyber security policies, staff training programmes, incident response plans, and evidence that they have assessed and managed their cyber risks.

The lilMONSTER Security Checklist for Aged Care

  1. MFA on all care management systems and email — Every staff member, from the CEO to casual care workers, needs MFA on care management portals, email, and payroll systems. If a care management system doesn't support MFA, raise it with your vendor as a contractual requirement. This single control prevents the majority of credential stuffing and phishing attacks.

  2. Mobile Device Management (MDM) for all devices used in care delivery — Deploy MDM (Microsoft Intune, Jamf, or equivalent) on all devices used by care staff. Enforce PIN/biometric lock, remote wipe capability, encryption at rest, and app restrictions. For home care services that allow BYOD: implement a mobile application management (MAM) solution that containerises the care app separately from personal content.

  3. Staff phishing training — accessible and practical for care workers — Run quarterly phishing simulations using realistic aged-care pretexts (fake MyAgedCare alerts, fake payroll notifications, fake rostering change emails). Keep training short (5–10 minutes), visual, and in plain language. Provide a simple "what to do if suspicious" card on staff noticeboards and in staff break rooms.

  4. Care management system access controls and auditing — Implement role-based access so care workers can only access records for residents they actively care for. Audit who accesses which records and flag unusual access patterns (e.g., a worker accessing records for residents they don't care for). Log all access for forensic capability.

  5. Offline, encrypted backups of all resident records and financials — Back up care management data, resident files, financial records, and rostering systems daily. Maintain at least one backup copy that is disconnected from the network (air-gapped or immutable storage). Test backup restoration quarterly. Many aged care providers hit by ransomware discover their network-connected backups were also encrypted.

  6. Incident response plan — including care continuity procedures — Document exactly what happens in the first hours of a ransomware attack or data breach: how care continues if care management systems are down (paper-based fallback procedures), who notifies the ACQSC, who contacts the OAIC, who calls families of affected residents. Test this plan with a tabletop exercise annually.

  7. Vendor security assessment for care technology providers — Review the cybersecurity and privacy practices of all technology vendors with access to resident data — care management software, electronic medication administration record (eMAR) systems, telehealth platforms, financial software. Require a Data Processing Agreement (DPA) and confirm they comply with Australian Privacy Principles.

How Much Does Cybersecurity Cost for an Aged Care Business?

Aged care cybersecurity investment must be framed against the full cost of a breach — including resident care disruption, ACQSC enforcement, and OAIC penalties:

Spend What it covers
AUD $3,000–8,000/year Essentials: MFA rollout, MDM for staff devices, encrypted backup, basic staff training
AUD $8,000–30,000/year Managed Security: 24/7 monitoring, patch management, phishing simulation, incident response retainer
AUD $30,000–100,000/year Enterprise programme: SOC monitoring, penetration test, ISO 27001 or ACQSC-aligned compliance programme, board-level cyber governance

Cost of a breach for an aged care provider:

  • Average Australian data breach: AUD $4.26 million (IBM, 2024)
  • Small-to-medium business cyber attack average: AUD $122,000 (Rockingweb, 2025)
  • OAIC civil penalty exposure: up to AUD $50 million for serious or repeated Privacy Act breaches
  • ACQSC enforcement: loss of accreditation, sanctions, forced service closure in extreme cases
  • Reputational damage: families removing residents from care — potentially catastrophic for smaller operators

Cyber liability insurance for aged care typically costs AUD $2,000–8,000/year for small-to-medium providers and is increasingly a coverage condition for ACQSC-funded providers. Insurers require evidence of MFA, patching, and backup controls as minimum conditions.

ROI framing: AUD $15,000/year in proactive cybersecurity prevents an expected loss exposure of $122,000–$4.26M, plus ACQSC enforcement risk. That is a 8x–280x return on investment before accounting for non-financial harms to residents and staff.

FAQ

A foundational cybersecurity programme for a small-to-medium aged care provider (1–3 facilities or a home care service) starts at AUD $5,000–10,000 per year for MFA, mobile device management, encrypted backups, and staff phishing training. Managed security services (monitoring, patch management, incident response retainer) add AUD $8,000–25,000/year. An annual penetration test costs AUD $5,000–15,000 depending on the number of systems and facilities in scope. For context, the average cost of a cyber attack on an Australian small business is AUD $122,000 before regulatory response costs — and aged care regulatory costs (ACQSC + OAIC) can dwarf direct financial losses.

The biggest cybersecurity risk for Australian aged care providers is ransomware targeting care management systems — particularly when it creates care continuity failures (staff unable to access medication schedules, fall risk assessments, or emergency contacts). This creates simultaneous patient safety, regulatory, and privacy risks. The secondary risk is phishing attacks on care workers, which provide the initial access point for ransomware and data theft. The Respect aged-care breach (October 2024) confirmed that even regional and mid-sized operators are actively targeted by ransomware actors.

ISO 27001 is not legally mandated for aged care providers, but it is the best available framework for demonstrating mature cyber security governance to the ACQSC, private health insurers, and local health districts. The strengthened quality standards under the Aged Care Act 2024 require providers to demonstrate systematic cyber security governance — ISO 27001 provides exactly this evidence. For providers tendering for large residential aged care contracts or those with multiple facilities, ISO 27001 certification provides a competitive advantage and reduces ACQSC audit risk.

Annual penetration testing is recommended for aged care providers — particularly of care management systems, resident portal interfaces, and network infrastructure. After any significant IT change (new care management software, facility expansion, cloud migration), a targeted penetration test should be conducted. Cyber liability insurers increasingly require annual pen tests as a coverage condition for aged care providers given the sector's high breach rate.

A breach at an aged care provider triggers multiple simultaneous obligations: (1) Assess within 30 days whether it is an eligible data breach under the NDB scheme — almost certainly yes given the sensitivity of resident health and financial data. (2) Notify the OAIC and affected residents and their families as soon as practicable. (3) Notify the ACQSC if the breach affects the provider's ability to deliver safe and quality care. (4) Notify your cyber insurer immediately — delay can void coverage. (5) Report ransom payments to ASD within 72 hours (for providers with turnover >$3M, from 30 May 2025). (6) Implement care continuity procedures for the period systems are unavailable. Multiple simultaneous investigations — by the OAIC (privacy), ACQSC (quality standards), and potentially the ASD — are common after significant aged care breaches.

References

[1] Aged Care Quality and Safety Commission (ACQSC), "Technology and Cyber Security Topic Guide," Australian Government, 2024. [Online]. Available: https://www.agedcarequality.gov.au/sites/default/files/media/topic-guide-17-technology-and-cyber-security.pdf

[2] Grant Thornton Australia, "What the Aged Care Act 2024 means for providers," Grant Thornton Insights, Dec. 2025. [Online]. Available: https://www.grantthornton.com.au/insights/blogs/what-the-aged-care-act-2024-means-for-providers/

[3] Cyber Daily, "Threat actors allegedly leak sensitive data of Australian aged-care firm," Cyber Daily, Oct. 2024. [Online]. Available: https://www.cyberdaily.au/security/11180-threat-actors-allegedly-leak-sensitive-data-of-australian-aged-care-firm

[4] Office of the Australian Information Commissioner (OAIC), "Notifiable Data Breaches Statistics: January to June 2025," Australian Government, Nov. 2025. [Online]. Available: https://www.oaic.gov.au/news/blog/latest-notifiable-data-breach-statistics-for-january-to-june-2025

[5] IBM Security, "Cost of a Data Breach Report 2024," IBM Corporation, Jul. 2024. [Online]. Available: https://www.ibm.com/reports/data-breach

[6] SecurityBrief Australia, "Average cost of an Australian data breach hits AUD $4.26 million," SecurityBrief, Aug. 2024. [Online]. Available: https://securitybrief.com.au/story/average-cost-of-an-australian-data-breach-hits-aud-4-26-million

[7] Australian Signals Directorate (ASD), "Annual Cyber Threat Report 2024–2025," Australian Government, 2025. [Online]. Available: https://www.cyber.gov.au/about-us/view-all-content/reports-and-statistics/annual-cyber-threat-report-2024-2025

[8] MinterEllison, "Privacy and Other Legislation Amendment Act 2024 now in effect," MinterEllison Insights, Dec. 2024. [Online]. Available: https://www.minterellison.com/articles/privacy-and-other-legislation-amendment-act-2024-now-in-effect

[9] My Aged Care, "Privacy," Australian Government Department of Health and Aged Care. [Online]. Available: https://www.myagedcare.gov.au/privacy

[10] Stephens Lawyers & Consultants, "Data Breach, Cyber Security and Privacy Law Update — Sept 2025," Stephens Lawyers, Sep. 2025. [Online]. Available: https://stephens.com.au/data-breach-cybersecurity-and-privacy-law-update-september-2025/

Need help securing your Aged Care business? Book a free consultation with lilMONSTER — Australia's no-BS cybersecurity team for SMBs.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation