Aged Care Is the Most Targeted Healthcare Sub-Sector in Australia. Is Your Organisation Ready?

Australia's aged care sector has entered a new era of accountability. With the Aged Care Act 2024 now in force since 1 November 2025, providers are navigating heightened governance expectations, tighter compliance obligations, and the operational pressure of serving a rapidly ageing population. For Retirement Living and Aged Care providers attending the Leaders Summit 2026 at the Hyatt Regency Sydney on 24 & 25 March 2026, one theme cuts across every pillar of reform: cybersecurity is no longer optional.

At Insicon Cyber, we work with aged care providers across Australia and New Zealand to build cyber resilience that protects residents, satisfies regulators, and keeps boards out of harm's way. Here is what every supplier and vendor needs to understand about the four pressure points reshaping the sector — and why cybersecurity sits at the intersection of all of them.

The Stakes Have Never Been Higher

According to CyberCX's Diagnosing Cyber Threats in Healthcare 2025 report, non-hospital clinical service providers — including aged care — are the most targeted healthcare sub-sector in Australia, facing ten times more publicly claimed cyber attacks than hospitals. Cyber extortion is the dominant attack type: criminals targeting an industry that holds highly sensitive personal, health, and financial data about some of Australia's most vulnerable people.

The consequences of a breach are no longer limited to reputational damage. Under the new Aged Care Act, cybersecurity failures can now attract criminal penalties of up to two years imprisonment, substantial fines, and potential loss of provider registration. Boards and governing bodies carry direct accountability. This is the regulatory environment your aged care clients are operating in today.

1. Quality and GRC: Cybersecurity Is Now a Quality Standard

The new Aged Care Act 2024, which came into effect on 1 November 2025, introduced strengthened Quality Standards covering everything from food and nutrition to infection control and clinical governance. What is less widely understood is that information protection and cyber incident reporting are now embedded within those standards.

The Aged Care Quality and Safety Commission (ACQSC) has made clear that governing bodies must actively oversee technology and cyber risk, including exposure through third-party vendors and supply chains. A breach at a supplier level — care management software, nurse call systems, communications infrastructure — can cascade across multiple facilities and trigger mandatory notifications under the OAIC Notifiable Data Breaches scheme.

For vendors, this creates both a challenge and a competitive differentiator. Suppliers that can demonstrate their own cybersecurity posture — and help providers satisfy their compliance obligations — will have a material advantage in procurement conversations.

The Insicon Cyber perspective: We help aged care providers conduct cybersecurity gap analyses aligned to the Essential Eight maturity model and the Quality Standards framework. Also, if you are a vendor asking "how does my product affect my client's compliance posture?", that is exactly the right question — and we can help both sides of that conversation.

2. Technology: Digital Transformation Expands the Attack Surface

Electronic health records, telehealth platforms, digital reporting for star ratings, and connected care devices are no longer optional for aged care providers — they are requirements for funding and regulatory compliance. The sector's accelerating digital transformation is welcomed, but it brings a proportionally expanded attack surface.

Legacy systems, high staff turnover, lean IT budgets, and complex integrations between clinical and operational platforms create an environment where a single compromised credential or unpatched vulnerability can have serious consequences. According to data cited by the Aged Care Essentials guide on data breaches, cyber security incidents account for 44 per cent of aged care data breaches, with phishing, compromised credentials, and ransomware making up more than 80 per cent of those incidents.

Technology partners who want to win and retain business in this sector need to come to the table with a clear answer to the question: how does your solution help providers stay secure, not just compliant? Integration ease, measurable security outcomes, and a track record of managing incidents with minimal disruption to care delivery will be the deciding factors.

The Insicon Cyber perspective: Our Adaptive SOC (aSOC), operating with full Australian data sovereignty, provides 24/7 managed detection and response tailored to the aged care environment. We also support technology vendors in understanding how their solutions interact with a provider's security posture — ensuring new tools strengthen rather than complicate the overall picture.

3. Financial Sustainability: A Cyber Incident Is a Financial Crisis

Funding model changes, new cost pressures from the Support at Home program, and the compounding effect of compliance costs are squeezing margins across the sector. In this environment, an unplanned cyber incident is not just an IT problem — it is a financial emergency.

The 2024 TPG Aged Care incident in Western Australia, in which attackers exfiltrated approximately 65 gigabytes of data before LockBit published it on a public leak site, illustrates the real-world cost: system restoration, mandatory notifications to the ACSC and OAIC, reputational damage, and the operational disruption of managing an incident alongside delivering care. For a not-for-profit provider with lean margins and a small IT team, that is potentially an existential event.

Procurement and financial technology partners have an opportunity to help providers build resilience into their operating models — but only if those partners can also demonstrate their own secure-by-design credentials. Providers are under increasing pressure from their boards and insurers to assess the cyber risk profile of every significant vendor relationship.

The Insicon Cyber perspective: We work with aged care boards and CFOs to quantify cyber risk in financial terms, assess vendor cyber posture as part of third-party risk management, and build business continuity plans that account for cyber incidents. Financial sustainability and cyber resilience are two sides of the same coin.

4. Workforce: Human Risk Is the Sector's Biggest Cyber Vulnerability

The aged care workforce crisis is well documented: staff shortages, new training mandates, high turnover, and wellbeing requirements are stretching providers in every direction. What is less often discussed is how workforce instability directly amplifies cyber risk.

High turnover means access credentials are frequently handed over, offboarding processes are inconsistently followed, and security awareness training rarely reaches every worker before they are handling sensitive resident data. Research cited in the aged care data breach guidance referenced above found that human error breaches rose by 36 per cent in recent survey periods — largely driven by information being sent to the wrong recipient. With a predominantly frontline workforce operating across distributed sites, the human risk surface is enormous.

New training mandates under the Quality Standards create an opening for workforce and learning technology partners, but those partners need to understand that cyber awareness and safe data handling are now part of what "compliant staff training" means. Similarly, workforce management platforms that handle sensitive rostering, payroll, and HR data carry their own cyber obligations.

The Insicon Cyber perspective: We support aged care providers with security awareness programmes designed for frontline aged care staff — not generic corporate content, but practical, role-based training that meets the operational reality of residential and in-home care settings. Our fractional CISO service also gives providers executive-level cyber leadership without the full-time overhead, helping them build the governance structures the ACQSC now expects.

What This Means for Delegates at the Leaders Summit

If you are attending the Leaders Summit 2026, the conversations you will have with providers will almost certainly touch on compliance anxiety, technology integration pressures, cost constraints, and workforce challenges. In every one of those conversations, cybersecurity will be the underlying thread — whether it is explicitly named or not.

Vendors who can credibly address the cyber dimension of their offering — through security-by-design architecture, documented compliance support, or a clear answer to "what happens if you are breached?" — will stand apart from those who cannot. Providers are no longer willing to absorb the cyber risk of their vendor ecosystem. The ACQSC, the OAIC, and now the new Aged Care Act have made that clear.

For New Zealand-based suppliers looking to enter or grow in the Australian aged care market, the same dynamics apply. While New Zealand's aged care regulatory framework differs, the cyber threat landscape is consistent across the Tasman, and the New Zealand National Cyber Security Centre (NCSC) has consistently emphasised health and aged care as high-priority sectors for protective guidance.

How Insicon Cyber Supports the Aged Care Sector

Insicon Cyber is a trans-Tasman cybersecurity advisory and managed services firm with deep experience in the aged care sector. Our work spans from board-level cyber advisory and fractional CISO engagements through to hands-on Essential Eight gap analysis, managed compliance, and 24/7 adaptive security operations.

We have partnered with Australian aged care providers, including James Milson Village, to build cybersecurity frameworks that protect residents, satisfy the ACQSC, and give boards the confidence that their cyber obligations are being met. 

Whether you are a provider assessing your current posture, a vendor wanting to understand how your solution interacts with provider compliance obligations, or a board member who has just read this blog and is not sure where to start — we are here to help.

Come say hello to us at our stand during the Leaders Summit - and grab your bag of  jelly beans. Alternatively, read our aged care services page at insiconcyber.com/industries/aged-care or reach out directly to speak with one of our fractional CISOs.

Sources and Further Reading

• Aged Care Quality and Safety Commission — Understanding the New Aged Care Act
• Australian Ageing Agenda — Aged Care Sector at High Risk of Cyber Attacks (April 2025)
• Aged Care Essentials — Responding to Data Breaches in Aged Care
• Novo3 — Cyber Security in the Supply Chain: What an Attack Reveals for Aged Care
• Gatekeeper HQ — Why Monitoring Vendor Cyber Security Posture Is Critical for Aged Care Resilience
• Forefront Events — Aged Care Technology Summit NSW 2026
• Australian Cyber Security Centre (ASD/ACSC) — Health Care and Medical Cyber Guidance
• Insicon Cyber — Cybersecurity Solutions for Aged Care