Based in Victoria, Elina Medical Weight Loss Clinic is a leading weight-loss centre that has worked with over 1,000 patients with weight-loss programs. The clinic forms part of Waverly GP in Glen Waverly, Victoria.
Notorious threat actor 2019 listed the clinic on an infamous hacking forum, claiming to have stolen the data of over 28,000 patients across over 300,000 records.
According to the listing, allegedly stolen data includes names, addresses, dates of birth, email addresses, gender, home and mobile numbers, Medicare card details, postcodes, appointment records, including doctors, booking times, reminder status and payment status fields.
In the past, 2019 has both sold data and released it for free, with the latest listing being a one-time sale in exchange for cryptocurrency.
Sample data was also included in the 2019 listing; however, the legitimacy of the data has not been verified.
Responding to Cyber Daily’s request for comment, Elina Medical Weight Loss Clinic said it could confirm an unauthorised user gained access but the incident had been contained and an investigation is underway.
“While the investigation is still in its early stages, we can confirm two Elina HotDoc user accounts were logged into by an unknown third party. The incident was quickly contained, with activity limited to these Elina accounts,” the clinic said.
“The unknown third party no longer has access and Elina’s broader IT environment remains secure and unaffected.
“Our clinic is operating as normal with zero disruption to patient care. Elina is working to verify what specific information within HotDoc has been accessed, so it can inform potentially impacted patients.”
The clinic also addressed the online claims and said that while they may prove concerning for customers, it is making security and its investigation its top priority.
“We recommend that our patients remain vigilant against the risk of potential phishing emails or scam calls, which are often the most likely risk associated with unauthorised access to contact information,” the statement said.
“We take cyber security seriously and are committed to keeping all our patients updated as we work to respond to this incident.
“We are also liaising with the relevant authorities in response to this incident alongside various experts across the cyber security industry.
“We would like to assure our patients that we are taking all appropriate steps to remediate this situation as swiftly as possible and have also implemented sophisticated monitoring systems to ensure we are aware of any further developments.
“We understand this news may cause concern to our patients and would like to thank them for their ongoing support as we work to resolve this as swiftly as possible.”
Elina Medical Weight Loss Clinic then provided advice for consumers on how to protect themselves from any potential fallout, which includes not sharing personal information unless the recipient is confirmed and trustworthy, remaining vigilant against suspicious activity, keeping passwords up to date and using a password manager, using multi-factor authentication, not responding to suspicious links and phone calls and monitoring bank accounts.
Who is 2019?
Threat actor 2019 has been active on underground hacking forums since early 2026 and has made more than 30 leak posts in that time, with the majority referencing Australian victims such as the Australian Centre for the Moving Image and Services Australia.
While Australian organisations appear to be 2019’s preferred target, they have also listed entities from the United States, the United Arab Emirates, France, and Italy.
Generally, 2019 offers stolen data for free, but in some cases, it is sold online in a one-time sale in return for bitcoin, Ethereum or Monero cryptocurrencies.
Most recently, 2019 reached out to media and other individuals using what appeared to be the noreply email for the Australian Privacy Commission.
The emails, two of which were received by the Cyber Daily team, contained abnormal content with the email sent to this writer having the subject line “:(“ and simply reading “cybercriminals are not terrorists”, as well as a table that featured the words “f--- you”.
2019 was attributed to the incident as the emails also contained a link to what appears to be their user page on a threat forum.
A day later, on 10 June, the Productivity Commission (PC) confirmed the incident, stating it was aware of the issue and had launched an investigation into the matter.
“On 9 June 2026, some members of the public received unsolicited emails from a Productivity Commission email address. Some of these emails contained identifying information that the sender implied had been taken from PC records,” the Productivity Commission said.
“As a result of our initial investigation into this issue, we have determined that an external third party is the source of these emails. During our review, we found no evidence that any of the identifying information used in the emails has come from the PC. The PC website does not store personal data in a way that would expose user emails, and many of the affected individuals have had no prior engagement with the PC.”
The Productivity Commission added that a vulnerability was identified and had now been patched.
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.
