Patient Data Breaches: Your Response Obligations and the 72-Hour Window

A data breach involving patient health records is one of the most serious events that can occur in a healthcare practice. The information involved is among the most sensitive that exists — mental health diagnoses, HIV status, reproductive health, addiction history, domestic violence disclosures. The potential harm to patients from unauthorised disclosure is real and significant.

When a breach occurs, your obligations are clear — but they require action, often under pressure, within a time-sensitive window. This guide gives you the step-by-step framework for responding correctly. For broader context, see our notifiable data breach guide for small business.

The Obligation in Brief

Under Australia's Notifiable Data Breaches (NDB) scheme (Part IIIC of the Privacy Act 1988), healthcare providers must:

1. Assess the breach to determine whether it is an "eligible data breach" requiring notification
2. If it is eligible: Notify the Office of the Australian Information Commissioner (OAIC) and affected patients
3. Complete the assessment within 30 days of becoming aware of the breach — but notify as soon as possible, not at the end of 30 days

There is no statutory 72-hour deadline in Australian law (unlike the GDPR's 72-hour rule). However, the OAIC expects prompt notification, and delays without justification will be viewed critically. For healthcare practices — where the sensitivity of patient information makes serious harm more likely — the practical expectation is notification well within 72 hours of confirming the breach is eligible.

Step 1: Identify and Contain (Hours 0-4)

When a potential breach is identified:

Immediately:

• Stop the breach from continuing — if the breach is an ongoing unauthorised access (e.g., a ransomware attack, a system compromise), take immediate steps to contain it (disconnect affected systems, revoke access credentials, engage your IT provider)
• Document what you know so far — time, nature of the breach, data involved, number of patients affected
• Do not destroy evidence — the instinct to "fix and clean up" can destroy information you'll need for your assessment and notification. Take screenshots, preserve logs.
• Notify your practice principal or practice manager — one person should coordinate the response

In the first hours:

• Assess the scope — what patient data was involved? How sensitive is it? How many patients?
• Engage your IT provider (if the breach is technical) to understand what was accessed
• Consider legal advice — if the breach is significant, engaging a privacy lawyer in the first hours will help you navigate notification obligations and manage your exposure

Step 2: Assess (Hours 4-24)

Your legal obligation is to conduct a "reasonable and expeditious assessment" of whether the breach is an eligible data breach.

Is this an eligible data breach?

Answer these questions:

1. Was there an unauthorised access, disclosure, or loss?

• Was patient health information accessed by someone who shouldn't have it? (Yes = proceed)
• Was patient health information disclosed to a third party without consent? (Yes = proceed)
• Was patient health information lost in a way where unauthorised access is likely? (Yes = proceed)

2. Is the breach likely to result in serious harm to one or more individuals?

For health information, this test has a lower bar than for, say, name-and-address data alone. Consider:

• The sensitivity of the information (health information is among the most sensitive)
• The nature of the information (mental health, HIV status, substance abuse, domestic violence — highest sensitivity)
• The potential uses of the information (identity theft, discrimination, social harm)
• Whether containment was successful (did you get the data back before it was used?)

If both tests are met: you have an eligible data breach and must notify.

Assessment documentation

Document your assessment process:

• What information was reviewed
• Who was involved in the assessment
• The conclusion and the reasons for it

This documentation demonstrates you conducted a genuine assessment.

Step 3: Notify (As Soon as Possible after Assessment)

If the breach is eligible, you must notify both the OAIC and affected patients.

Notifying the OAIC

Submit your notification via the OAIC's NDB notification form on their website. The notification must include:

• Your organisation's name and contact details
• A description of the breach
• The kind(s) of personal information involved
• What steps you recommend affected individuals take in response

You do not need to wait until your investigation is complete before notifying — you can notify based on what you know at the time, and update the OAIC if more information comes to light.

Notifying Affected Patients

Each patient whose information was involved in the breach must be notified directly — by phone, email, or letter. If you cannot notify all patients directly (because you don't have current contact details for all of them), you must publish a statement on your website.

Your patient notification should include:

• Your practice's name and contact details
• A description of what happened (written clearly, without technical jargon)
• What information was involved
• What steps you've taken to contain the breach
• What support you're offering (e.g., counselling referrals, credit monitoring if financial data was involved)
• What the patients can do to protect themselves
• Who to contact if they have questions

Tone matters. This is a communication to patients who trusted you with some of the most sensitive information in their lives. The notification should be honest, direct, empathetic, and action-focused. Avoid corporate defensiveness or minimisation.

What Not to Do

• Do not delay notification because you're waiting for absolute certainty about what happened. The obligation is to notify once you reasonably believe the breach is eligible.
• Do not notify patients in a way that itself creates a privacy risk (e.g., group email with all patient addresses visible).
• Do not make representations to patients that aren't true ("your data is completely secure" when it isn't).

Step 4: Review and Remediate

After the immediate response:

• Investigate the root cause — why did the breach happen? What controls failed?
• Implement remediation — fix the vulnerability that caused the breach
• Update your breach response plan based on what you learned
• Train staff on what went wrong and what to do differently
• Review your security posture — are there other vulnerabilities?

Preparing Before a Breach Happens

The best time to prepare for a data breach response is now, not when it's happening.

Develop a data breach response plan that covers:

• Who coordinates the response
• Who has authority to make notification decisions
• Contact details for your IT provider, legal adviser, and the OAIC
• Template patient notification letter (ready to customise)
• Staff roles and responsibilities

Practice it. A tabletop exercise (even an informal one with your reception and clinical staff) helps everyone understand their role before the pressure is on.

Harden your systems:

• Ensure all devices with patient data are encrypted
• Implement multi-factor authentication on practice systems
• Regular staff training on phishing and social engineering (most breaches start with a human error)
• Limit access to patient records based on role

How Reguladar Helps

Managing privacy compliance alongside AHPRA obligations, employment law, and tax — as a small healthcare practice — is a significant and ongoing challenge. Reguladar gives healthcare practice owners a single compliance dashboard tracking all their obligations in one place, so the important things don't get lost in the day-to-day.

Start your free compliance check at Reguladar →