← Writing

The Audit Is Already Scheduled

A breach notice by SMS and a ministerial reply about the largest education breach on record, inside the same month, and neither contains a sentence the recipient can verify: the party that knows what was taken is never the one writing to you. An audit is not a badge you receive; it is a question you put to your own systems. If your customers' data sits in stacks you rent, the involuntary version is already scheduled.

17th July 2026 · 14 min read

The SMS arrived on 15 July 2026 from Partnered Health, parent company of the GP clinic I have used for years, with an email close behind. On 23 June, it said, the company had become aware that a malicious actor accessed its systems and took patient personal information: names, dates of birth, Medicare numbers, and medical records including consultation notes, referral letters and pathology results. Three weeks passed between discovery and the notice, and the notice closed by recommending I use strong passwords.

I have spent my career building and running infrastructure that holds other people’s data, and it leaves a habit: you read a letter like this for what it cannot say. This one could not say what they touched.

The letter is drafted years before the breach, by the design of the systems it describes. Design can also refuse to write it: at NSW Health I built a privacy architecture that linked the general practice records of more than six million people without the Ministry ever receiving a name.

Five days before the intrusion was discovered, Bupa had announced it was acquiring Partnered Health and its 68 clinics from Quadrant Private Equity, which had taken majority ownership in late 2020. The company’s headline response was an interim injunction from the Supreme Court of New South Wales ordering that the stolen data not be used or published. That is real legal work, diligently executed, and it is addressed to criminals. The same court granted the same order to IVF provider Genea in 2025, and the stolen patient records were published on the dark web anyway. Exfiltrated data is copied, not borrowed. My consultation notes are wherever they are now, and a court order does not change the address.

The pattern has a structure, not a villain

The industry frames an incident like this as a vendor problem with a legal response and a notification obligation, and every word of that frame points away from the question that matters. Every consequence in this story lands on one side. The sellers got their exits, the acquirers got their platforms, and the people in the files got lifetime exposure and advice about passwords. In two decades the records of a life have moved out of filing cabinets and local servers into data lakes owned by whoever bought them last, and nobody was asked, because seeing a doctor, enrolling in school or carrying a phone means handing the records over. Technology rebuilt who holds your life without ever rebuilding who answers for it.

Healthcare and education platforms aggregate data because aggregated data is what makes a platform worth acquiring. Records accumulate across acquisitions, products and integrations, every accumulation raises the valuation at the next sale, and nothing in the sale process prices the security debt, because the debt is invisible until someone else discovers it, usually after the exit. Quadrant is one of the most skilled practitioners of this model in the country, and the Partnered Health exit was not a lapse; it was the model executed well. When the most competent operators of a system produce this outcome, the outcome is not a failure of the system. It is the system.

Instructure is the same story at full scale. Thoma Bravo took the Canvas maker private for $2 billion in 2020, and KKR bought it for $4.8 billion in 2024; the month the deal was announced, Instructure launched Intelligent Insights, an AI analytics product built over the student data accumulated in Canvas. In April 2026, ShinyHunters got into Canvas production systems and claimed 3.65 terabytes covering roughly 275 million users, the largest education breach on record, and Instructure settled one day before the leak deadline. So the same accumulation of student records was priced three times in six years: by KKR as a valuation, by the AI product as a feature, and by ShinyHunters as a ransom. The breach did not contradict the strategy. It appraised it.

An audit is something you run

The word audit has been diluted into something you receive: a PDF, a badge, an annual attestation. In operations it is something you do. Systems you can see, logs you hold, an evidence chain you can walk end to end without asking permission. When the question is “what did they touch,” an owner queries their own trail and answers it; a tenant writes a letter to the vendor and waits.

Queensland schools run Canvas as QLearn, and that week’s assurances had a consistent shape: names, email addresses and school locations compromised, no evidence anything worse was touched. Reassuring, specific, and single-sourced, because every checkable fact originated with Instructure, then days from settling with its attackers. I wrote to the Queensland Education Minister with two questions that seemed answerable: had the department engaged its own forensic investigators, and, since student email addresses were among the stolen data, who could now send mail directly to a student’s inbox? The reply took six weeks and answered both by demonstration. The contract is commercial-in-confidence. The forensic investigation is CrowdStrike’s, engaged by Instructure to examine Instructure. The inbox question was not answered at all. And on verification, the letter relayed Instructure’s advice that the affected data “had been recovered and would not be publicly released.”

There is no recovering copied data

The experiment has already been run, more than once. PowerSchool paid its ransom, was shown a video of the stolen files being deleted, and within months the same data was extorting individual school districts. Medibank refused to pay in 2022, and the records of 9.7 million people went onto the dark web in tranches. Paying buys a promise, refusing calls the bluff, and both paths end at the same address. Instructure settled with ShinyHunters the day before the department received its advice, and somewhere along the chain from criminal promise to ministerial letterhead, “they agreed not to publish it” became “it has been recovered.” I do not believe anyone in that chain lied, and the department was not stonewalling; it rents the platform too, which puts it in the same position as the families it wrote to. Each layer compressed what the layer below told it, until the assurance had no author left. That is what verification looks like when you rent: a letter you cannot check, about a contract you cannot read, describing an investigation commissioned by the party being investigated.

Students and their families also received a fact sheet advising them to watch for suspicious links and not respond to phishing. Sensible in the way the strong-passwords line was sensible, and misdirected in the same way: the data was taken from a system students were required to use, procured and managed by adults whose job was to protect it, and no amount of careful clicking would have kept their records where they were. Advice like this quietly moves the failure from custodianship to behaviour and hands it to the youngest person in the chain.

The badges were all present

Every company in this story could produce a certification wall. SOC 2, ISO 27001, the full set, none of it fake and none of the auditors negligent. A certification simply answers a narrower question than the one you care about: it certifies that the vendor’s documented process met a standard at assessment time, and it says nothing about what happens to your records when an integration three acquisitions deep turns out to be the way in.

ShinyHunters did not break the platforms. Microsoft’s analysis of a year of their activity shows the group entering through the trust organisations extend outward: an OAuth token granted to a third-party vendor, one compromised integration cascading into the next, social engineering scaled by AI voice agents capturing credentials by the thousand. Hand that operation a list of student email addresses tied to names and school locations and the lure writes itself: the right school, the right name, arriving in an inbox a student is required to check. That is why the inbox question was not academic, and why a fact sheet asking students to spot phishing asks children to outperform the trained adults ShinyHunters already defeats. The perimeter you are defending is not your network. It is every organisation you integrated with, and their certifications do not transfer. Past the last integration there is no perimeter at all, only the people in the files, holding a fact sheet.

The first-party audit

Every audit in this story so far was run by someone else: a certifier grading the vendor’s paperwork, a forensic firm engaged by the party it was examining, an attacker scoping what the contract never covered. The first-party audit is the one you commission from yourself, and it asks a single question: what did they touch. Put it to the system holding your most sensitive records and watch two things: how long the answer takes, and whose word it rests on. If the honest result is a letter and a wait, you are a tenant, whatever your org chart calls you. That is why ownership is the design decision that matters. Not because it prevents breaches; nothing prevents breaches. Because it determines what you know afterwards, how fast you know it, and whether your notification says “we have confirmed exactly what was accessed” or “our investigation is ongoing.”

There is no product at the end of that audit and no badge for passing it, and the people who nod when they hear it are usually the ones who have lived through an incident and remember exactly how long the second question took to answer. Failing it is a finding, not a verdict, and findings come with remediations; what follows is the remediation, drawn from a system that ran at state scale.

Ownership is operating capability

Ownership is easy to mishear as owning the hardware. General practice already ran that experiment: the Windows server under the reception desk, unpatched since its installer stopped answering the phone, owned outright and audited by nobody, twenty years of title to the box and not a day of custodianship. The modern independent practice owns no hardware and holds more of the ownership that matters: it went cloud-native deliberately, can name its vendor, read its own contract and export its own data, and its worst day exposes one clinic’s records.

The split maps onto who sells. The private equity pitch lands on the legacy cohort, where the principal is near retirement and the back room is past saving, so the platform gets assembled from the sector’s worst estates, the records migrate into one data lake, and the valuation compounds across clinics while the custodianship stays the size it was. Consolidation fixed the server and scaled the target. The modern independent was never the problem the roll-up claimed to solve, which is what makes it an indictment rather than a solution.

Privacy-preserving design is the custodianship

Ownership is half of the answer. The other half is refusing to assemble the target, and I know refusing is possible because I spent three and a half years building the refusal.

At NSW Health I was the architect on Lumos, the program that linked the general practice records of more than six million people, over half the state’s population, to hospital, emergency department, cancer registry and mortality data. The Ministry never received a name, a date of birth or an address, and the dataset could not legally exist in any other form: the privacy architecture was not a control applied to the program, it was the reason the program was allowed to exist. Years later the dataset is still producing peer-reviewed research, and none of it ever needed a name, because the analytical value lives in the linkage, not in the identities travelling beside it.

The mechanics deserve a paragraph, because the pattern is portable to any sector where multiple custodians need a joined view they cannot legally assemble, and finance, tax and social services are the same shape. Inside each practice, before anything left the building, identifiers were hashed into salted one-way Bloom filter encodings, tuned separately for every data class, because the configuration that links dense hospital records cleanly will leak re-identification risk on a sparser source. The linkage authority matched probabilistically on the encodings alone, and the result validated at about 96 percent against traditional identified linkage, which is the empirical answer to the objection that privacy costs you the join. Every file moved through a credentialed portal that made the evidence chain queryable end to end, and analysts only ever saw derived datasets behind role-based access. Then the implementation was handed to the Curtin University group that originated the encoding method and defined its attack surface, with a standing brief to break it. That is what assurance looks like when you own the architecture: not a generalist’s badge, an adversarial review by the people best qualified to embarrass you.

A system built that way changes what a breach is worth. Compromise the ingestion layer, compromise the warehouse, compromise a vendor in the chain, and what the attacker walks away with is encodings, not identities. Nothing prevents the break-in; design decides what the break-in takes. The Partnered Health letter shows what happens when that class of design is treated as optional hardening: names, Medicare numbers and consultation notes were taken together because they were stored together.

The cryptography, for all the space it takes in a description like this one, was the smaller engineering problem. The larger one was making heterogeneous general practice software, vendor extraction quirks and practice-level data quality behave as one repeatable pipeline, and knowing when privacy-preserving linkage is even the right instrument, because New South Wales also runs traditional identified linkage under a different threat model and a heavier governance path. Which method a dataset actually needs is a judgement call no certification covers, and the wrong call fails in one of two expensive directions: cryptography where identified linkage would have been cleaner, or an identified pool where the law required the encoded one.

Every proposal to use AI on health data begins with someone wanting to pool the records, and that proposal is Intelligent Insights again, in the one sector where the records follow you for life. Pooling is a choice, not a requirement, and a design that refuses to assemble identities alongside clinical data gives up nothing that matters; it just never builds the asset the ransom gets priced on. In healthcare, privacy-preserving design is not an enhancement to custodianship; it is the custodianship.

None of this requires a ministry budget or a machine of your own; the ownership it asks for is the operating kind, and for a tenant it starts at the renewal negotiation. Logs describing access to your customers’ data should land continuously in storage you control, not arrive on request after an incident, and raw log export, telemetry coverage of your tenancy and audit rights that survive the vendor’s own incident response all belong in the contract before you need them; written in, they turn “what did they touch” into a query you run instead of a letter you send. The rest is the pattern drawn above, and it is where the expensive failures live, in parameter choices and access models that look right until the first join. That is the work I do now, and it costs less than the involuntary version.

The gap is set years in advance

I have stood at both ends of this. I spent five years at Optus building and running the content delivery network behind Optus Sport, and I was inside the company in September 2022 when a breach put customer data in play. I will not write about it, and the argument does not need me to. What it teaches is not specific to any one company: every hour between “something has happened” and “here is exactly what happened” is paid for in trust, at a rate that compounds, and the length of that gap is set years in advance, by whether the systems holding the answer are ones your own people can walk.

Partnered Health’s three-week notice was lawful in every particular; Australia’s scheme allows thirty days to assess, then “as soon as practicable” to notify, with the harm threshold applied by the breached party itself. A deadline regulates when the letter arrives, not what it can say, and exploitation now starts inside the notification window: the scam call that knows your clinic can arrive before the SMS naming its source.

Ask any company in this story to name its most valuable asset and you will hear the same word: trust. Take them at their word and hold them there, because trust is exactly what an unanswered “what did they touch” spends, hour after hour, and none of them could stop the spend; the systems that held the answer belonged to someone else.

Within a month I had collected an SMS from a healthcare network and a ministerial reply on government letterhead. Different sectors, different channels, the same shape underneath: the party that knows what was actually taken is never the one writing to you, and nothing in either notice is something the recipient can check, because both were composed for the record rather than the recipient. Every platform here got an audit in the end, the involuntary kind, scoped by the attacker and priced by the ransom. If your customers’ data sits in stacks you rent, that audit is already scheduled, and this notice is the artefact you are on track to send. The compliance wall will be intact when you send it.

Connect