It did not confirm how many people had their sensitive information stolen.
"We have taken immediate steps to mitigate any potential impact on our systems," the statement reads on its website that was otherwise empty on Thursday afternoon.
"While we continue to gather more information, early indicators suggest the incident originated from one of our third-party vendors."
Lt Gen Michelle McGuinness said a commercial health information organisation was attacked. (Lukas Coch/AAP PHOTOS)
The company said it was working with government agencies to manage the incident and had notified key regulators.
National Cyber Security Coordinator Lieutenant-General Michelle McGuinness said a "commercial health information organisation" had been the victim of the ransomware attack.
"I am working with agencies across the Australian government, states and territories to co-ordinate a whole-of-government response to this incident," she said in a statement.
"The Australian Signals Directorate, Australian Cyber Security Centre is aware of the incident and the Australian Federal Police is investigating.
"We are in the very preliminary stages of our response and there is limited detail to share at this stage but I will continue to provide updates as we progress while working closely with the affected commercial organisation to address the impacts caused by the incident."
I have been briefed on this incident in recent days and the government convened a National Coordination Mechanism regarding this matter today. — Clare O'Neil MP (@ClareONeilMP) https://t.co/sIBhLpBwwoMay 16, 2024
Home Affairs Minister Clare O'Neil confirmed she had been briefed on the matter but in an earlier statement wouldn't reveal the company.
"I have been briefed on this incident in recent days and the government convened a National Coordination Mechanism regarding this matter today," she wrote on social media site X.
"Updates will be provided in due course."
In September 2022, Optus suffered a massive data breach that affected 10 million Australians and resulted in the driver's licences, Medicare and passport numbers of 10,000 customers being stolen and leaked online.
It prompted the government to introduce tough penalties for companies that failed to protect the information of their customers.