Notifiable Data Breaches in Healthcare: What Your Practice Must Do

A data breach at a healthcare practice is not just a technical problem. It is one of the most sensitive events that can occur in a patient-provider relationship — and under Australia's Notifiable Data Breaches (NDB) scheme, it triggers legal obligations that your practice must fulfil promptly and correctly.

Despite the seriousness of the obligation, many small healthcare practices do not have a documented data breach response plan. Some aren't even certain what constitutes a notifiable breach. This article explains what you need to know and what you need to have in place. For your broader healthcare compliance obligations, see our complete checklist.

What Is the Notifiable Data Breaches Scheme?

The NDB scheme is Part IIIC of the Privacy Act 1988 (Cth). It applies to all entities that are required to comply with the APPs, which includes all healthcare providers (regardless of size — healthcare providers are explicitly included regardless of turnover).

The scheme requires eligible organisations to:

1. Assess whether a data breach meets the threshold for notification
2. Notify the Office of the Australian Information Commissioner (OAIC) and affected individuals if the threshold is met

The notification obligation is triggered when there has been an eligible data breach.

What Is an Eligible Data Breach?

An eligible data breach occurs when:

1. There is unauthorised access to, or unauthorised disclosure of, personal information; OR there is a loss of personal information in circumstances where unauthorised access or disclosure is likely; AND

2. The breach is likely to result in serious harm to one or more individuals.

The "likely to result in serious harm" test is critical. Not every breach triggers notification — only those where there is a real risk of serious harm. But for healthcare practices handling sensitive health information, this bar is lower than for general business data breaches.

What Counts as "Serious Harm"?

Serious harm includes physical, psychological, emotional, economic, and reputational harm. In healthcare contexts, relevant examples include:

• A patient's mental health diagnosis being disclosed to a family member who then discriminates against the patient
• HIV status disclosed in a way that affects employment or relationships
• Confidential medication information disclosed to a domestic violence perpetrator
• A patient's psychiatric history exposed in a data breach used for identity theft
• Sensitive reproductive health information disclosed without consent

The OAIC considers several factors in assessing whether harm is "likely":

• The sensitivity of the information (health information is among the most sensitive)
• The potential harm to the individuals affected
• Whether the information is in a usable form
• Whether protections exist (e.g., encryption)

For most breaches involving patient health records, the sensitivity of the data means that serious harm is frequently likely.

What Counts as a Breach?

Examples relevant to healthcare practices:

Unauthorised disclosure:

• Sending a patient's clinical notes to the wrong email address
• A receptionist emailing a patient's referral to the patient's employer by mistake
• A staff member accessing and disclosing patient records outside the scope of their role (e.g., looking up a celebrity patient's records out of curiosity)
• Social media posts that inadvertently identify patients

Unauthorised access:

• A ransomware attack that encrypts your practice's records
• A hacker accessing your patient management system
• A former employee using access credentials they shouldn't still have

Loss:

• A laptop containing patient records being stolen from a staff member's car
• Paper records left in an insecure area accessible to the public
• A USB drive with patient data being lost

Not a breach:

• A hack that was unsuccessful (no data accessed)
• A breach where data was encrypted and the encryption remains intact
• Accidental deletion with no disclosure to a third party (though this may be a loss of data, it's not the same as a notifiable data breach)

The Two-Step Assessment Process

When a potential data breach occurs, the NDB scheme requires you to:

Step 1: Assess

Conduct a reasonable and expeditious assessment of whether the breach is eligible. You have 30 days to complete this assessment from when you become aware of the breach.

However — 30 days is a maximum, not a target. The OAIC expects assessment to be completed as soon as practicable. If the nature of the breach makes serious harm clearly likely (e.g., patient mental health records sent to a third party), you should proceed to notification without using the full 30-day window.

During assessment:

• Establish what happened (what data, who was involved, how it occurred)
• Identify the individuals affected
• Assess whether serious harm is likely
• Consider whether remediation steps (e.g., retrieving the data, encrypting it) have contained the breach

Step 2: Notify (if threshold is met)

If the breach is eligible, you must notify:

The OAIC: Submit a notification via the OAIC's online NDB notification form. The notification must include:

• Your contact details
• Description of the breach
• The type of information involved
• What you recommend affected individuals do

Affected individuals: Notify each individual whose information was involved in the breach. Notification must be:

• Direct (email, letter, phone) where reasonably practicable
• If direct notification is not reasonably practicable (e.g., you don't have current contact details for all affected individuals), you may publish a statement on your website instead

Notification to individuals must include the same key information as the OAIC notification, plus: your contact details, what support you're offering to affected individuals.

Timing: When Must You Notify?

The Act requires notification "as soon as practicable" after you become aware that the breach is eligible. There is no specific statutory deadline (unlike, for example, the GDPR's 72-hour notification rule in the EU).

However:

• The OAIC's guidance recommends notifying as soon as possible
• Delays in notification that are not justified by genuine assessment activity are likely to be viewed negatively by the OAIC
• Delay increases the risk of ongoing harm to affected individuals

Practical guidance: If you become aware of a breach that clearly involves sensitive health information and likely serious harm (e.g., a data theft with patient records clearly compromised), you should aim to notify the OAIC within 30-72 hours of confirming the breach is eligible. Longer delays require genuine justification.

The OAIC's Enforcement Powers

The OAIC has significant enforcement powers if your practice fails to comply with the NDB scheme:

• Investigating complaints and conducting own-motion investigations
• Making determinations requiring remedial action
• Seeking civil penalty orders in the Federal Court for serious and repeated interferences with privacy

Penalties for serious or repeated privacy breaches were significantly increased in 2023. For healthcare providers, the maximum penalties can reach:

• For bodies corporate: $50 million, three times the benefit obtained, or 30% of adjusted turnover — whichever is greatest

These are not small-practice-exempt amounts. Healthcare providers of all sizes are subject to the full penalty regime.

Building a Data Breach Response Plan

Every healthcare practice should have a documented data breach response plan. The plan should cover:

1. Who is responsible for coordinating the response (typically the practice manager or principal)
2. How to identify a potential breach (what does it look like? What triggers should staff be alert to?)
3. How to contain the breach (stop ongoing access, retrieve data where possible)
4. How to assess the breach (who makes the decision? What factors are considered?)
5. How to notify — the OAIC form, how to contact affected patients, what to say
6. Post-breach steps — how to prevent recurrence, what to document

Your plan should be tested — not just written and filed. Run a tabletop exercise to ensure staff understand their roles.

Common Healthcare Data Breach Scenarios and How to Handle Them

Misdirected fax/email: Immediately contact the recipient and request deletion. Document the containment effort. Assess whether harm is likely given what was sent and to whom.

Ransomware attack: Engage a cybersecurity incident response service immediately. Do not pay ransom without advice. Assume data was accessed. Notify the OAIC promptly. Notify affected patients once the scope is known.

Staff accessing records without authorisation: Terminate the unauthorised access immediately. Investigate the scope. Treat this as a serious breach — disciplinary action for the staff member; assessment and notification if patient data was disclosed externally.

Lost laptop/device: Was the data encrypted? If yes, the risk of harm may be lower and notification may not be required. If unencrypted — treat as an eligible breach and proceed with assessment.

How Reguladar Helps

Privacy breach response, AHPRA registration, employment law compliance, and tax obligations — small healthcare practices carry a heavy compliance burden. Reguladar gives healthcare business owners a single dashboard tracking all their obligations, including privacy compliance milestones.

Start your free compliance check at Reguladar →