A privacy breach in a medical practice — whether from a cyberattack, an accidental disclosure, or a staff error — can carry serious consequences under the Privacy Act 1988 (Cth) and state health privacy legislation. Knowing your obligations, how to assess a breach, and how to notify correctly is essential. Act quickly: the Notifiable Data Breaches scheme has strict timelines. 

Healthcare is one of the most targeted sectors for data breaches in Australia — and for good reason. Medical records contain some of the most sensitive personal information imaginable: diagnoses, medications, mental health history, sexual health information, and family medical history. A breach of this information can cause real, lasting harm to patients. 

For Australian doctors and medical practices, the consequences of a privacy breach extend beyond reputational damage. Under the Notifiable Data Breaches (NDB) scheme, certain breaches must be reported to the Office of the Australian Information Commissioner (OAIC) and to affected individuals. Failure to comply can result in regulatory investigation and significant civil penalties. 

This guide explains what constitutes a privacy breach in a healthcare context, how to assess whether you have a notifiable breach, your notification obligations, and the immediate steps to take when a breach is identified. 

The Legal Framework: Privacy Act and State Legislation 

The primary federal framework governing privacy in Australian healthcare is the Privacy Act 1988 (Cth), which applies to most private healthcare providers — including GPs, specialists, allied health practitioners, and private hospitals. The Act contains 13 Australian Privacy Principles (APPs) that govern how personal information (including health information) is collected, used, disclosed, and stored. 

Health information is classified as ‘sensitive information’ under the Privacy Act and is subject to a higher standard of protection than ordinary personal information. 

In addition to the federal framework, state and territory health privacy legislation applies in some contexts: 

  • NSW: Health Records and Information Privacy Act 2002 (HRIPA) 
  • VIC: Health Records Act 2001 
  • QLD: Information Privacy Act 2009 (applies to public sector health entities) 
  • ACT: Health Records (Privacy and Access) Act 1997 

Public hospitals and health services may be subject to state-based privacy legislation rather than (or in addition to) the federal framework. Private practitioners are generally covered by the Privacy Act. 

What Is a Privacy Breach? 

A privacy breach occurs when there is unauthorised access to, disclosure of, use of, modification of, or loss of personal information held by an organisation. In a medical practice context, privacy breaches include: 

  • A cyberattack or ransomware incident affecting practice systems holding patient records 
  • Accidental disclosure of a patient’s health information to the wrong person — for example, sending records to the wrong email address or fax number 
  • Unauthorised access to patient records by a staff member without a clinical need 
  • Loss or theft of a device (laptop, USB drive, smartphone) containing unencrypted patient information 
  • A staff member discussing a patient’s health information with an unauthorised third party 
  • Disclosure of records to a family member without the patient’s consent 
  • A break-in resulting in access to physical patient files 

Not every breach is notifiable — but every breach should be assessed promptly. 

The Notifiable Data Breaches (NDB) Scheme 

The NDB scheme, introduced in 2018 under Part IIIC of the Privacy Act, requires organisations covered by the Act — including private healthcare providers — to notify the OAIC and affected individuals when an ‘eligible data breach’ occurs. 

What Is an Eligible Data Breach? 

An eligible data breach occurs when all three of the following criteria are met: 

  1. There has been unauthorised access to, unauthorised disclosure of, or loss of personal information held by the organisation 
  1. The breach is likely to result in serious harm to one or more individuals 
  1. The organisation has not been able to prevent the likely risk of serious harm through remedial action 

The ‘serious harm’ threshold is central to the NDB scheme. Not every breach will meet this threshold. For health information — given its inherently sensitive nature — the bar for ‘serious harm’ is lower than for less sensitive information. A breach of medical records is much more likely to be an eligible data breach than a breach of, for example, contact details alone. 

Serious Harm: Factors to Consider 

In assessing whether a breach is likely to result in serious harm, consider: 

  • The sensitivity of the information — health information is highly sensitive 
  • Whether the information is protected by security measures (e.g., encryption) 
  • The persons who have, or are likely to have, accessed the information 
  • The nature of the harm that could result — including physical, psychological, financial, or reputational harm 
  • Whether the information could be used for identity theft, discrimination, or other harmful purposes 

 Health Information and the Serious Harm Threshold: The OAIC has consistently taken the view that health information breaches are more likely to meet the serious harm threshold than breaches of less sensitive categories of information. If your practice has experienced a breach involving patient diagnoses, medications, mental health records, or sexual health information, assume the NDB threshold may be met and assess carefully. When in doubt, notify. 

The 30-Day Assessment Obligation 

A critical — and often missed — aspect of the NDB scheme is the 30-day assessment obligation. If you suspect that an eligible data breach may have occurred but are not certain, you have 30 days from the date you became aware of the suspected breach to assess whether it meets the threshold. 

This 30-day clock starts from when you first become aware that there are reasonable grounds to suspect an eligible data breach — not from when you confirm it. The assessment must be conducted expeditiously. If the assessment concludes that an eligible data breach has occurred, notification obligations are triggered. 

Do not delay beginning the assessment while waiting for more information. Document the date you became aware of the suspected breach. 

Who Must You Notify — and How? 

If an eligible data breach is confirmed, you must: 

  1. Notify the OAIC: Submit a notification to the OAIC via the OAIC website. The notification must include a description of the breach, the kinds of information involved, the number of individuals affected (if known), and the steps taken in response. 
  1. Notify affected individuals: You must notify each individual whose information was involved in the breach, or — if this is not practicable — make a public notification that is reasonably likely to reach them. 

Notification to individuals should include: 

  • A description of the data breach 
  • The kinds of information involved 
  • What steps affected individuals should take to protect themselves 
  • Contact details for further information or assistance 

Notification should be direct — by phone, email, or letter — where practicable. If you cannot identify and directly contact all affected individuals, a public notification (such as a prominent notice on your website) may be used to supplement direct notification. 

Clinical Scenario: The Ransomware Attack – Dr Patel’s practice is hit by a ransomware attack on a Tuesday morning. The practice’s clinical software is encrypted and inaccessible. The attackers have sent a message claiming to have downloaded patient records before encrypting the system. The practice holds records for approximately 3,800 patients.  What Dr Patel should do: Immediately engage a cybersecurity professional to assess the breach. Do not pay the ransom without expert advice. Document the date and time the breach was discovered. Begin the 30-day NDB assessment clock immediately. Notify the practice’s IT provider, professional indemnity insurer, and consider notifying the OAIC that an assessment is underway. Assess whether the data exfiltration claim can be substantiated. If an eligible data breach is confirmed, notify the OAIC and affected patients.  Additional step: Consider whether the incident constitutes a criminal matter requiring notification to the Australian Cyber Security Centre (ACSC) and police. 

Common Breach Scenarios in General Practice 

The Wrong Recipient Email 

A staff member sends a patient’s results, referral letter, or records to the wrong email address. This is one of the most common privacy breaches in general practice. Immediate steps: contact the wrong recipient to request deletion and confirmation; assess the sensitivity of the information; determine whether the NDB threshold is met. 

The Stolen Laptop 

A GP’s laptop containing unencrypted patient records is stolen from a car. This is a high-risk breach. Unencrypted data on a stolen device is highly likely to meet the serious harm threshold — particularly for health information. Assess and notify promptly. 

The Chatty Staff Member 

A staff member discusses a patient’s diagnosis or treatment with an acquaintance outside work. This is an unauthorised disclosure of health information. The seriousness depends on the sensitivity of the information and the context of the disclosure. Disciplinary action against the staff member is appropriate; assess whether NDB notification is required. 

Accessing Records Without Clinical Justification 

A staff member accesses the records of a celebrity patient, a former partner, or a neighbour without clinical justification. This is an internal breach — and a serious one. It can constitute a criminal offence under state privacy legislation as well as an NDB-notifiable breach. 

Preventing Privacy Breaches: Key Practice Obligations 

Under the Privacy Act, healthcare providers are required to take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure. In practice, this means: 

  • Using clinical software with appropriate security controls, including strong password requirements and multi-factor authentication 
  • Encrypting devices that store patient information — particularly laptops and portable drives 
  • Implementing a staff privacy and information security policy and ensuring all staff are trained on it 
  • Restricting access to patient records on a need-to-know basis 
  • Having a documented data breach response plan before a breach occurs 
  • Regularly backing up data and testing recovery processes 
  • Using secure communication channels for patient information — not personal email accounts or consumer messaging apps 
  • Conducting periodic privacy audits of your practice systems and processes 

Frequently Asked Questions 

Q: We accidentally faxed a patient’s results to the wrong number. Do we have to notify the OAIC? 

Assess the sensitivity of the information and the likely recipient. If the misdirected fax contained sensitive health information (diagnoses, medications, test results) and was sent to an unknown third party, the NDB threshold may well be met. Take immediate steps to contact the wrong recipient and request return or destruction of the document. Document your assessment and its outcome. 

Q: An ex-employee has taken patient records when they left. What do we do? 

This is a serious breach involving both unauthorised access to and loss of health information. Contact your indemnity insurer immediately. Consider whether to report to police (unauthorised access to computer systems can be a criminal offence). Assess the NDB threshold. Notify the OAIC and affected patients if the threshold is met. 

Q: Do we need to notify patients even if the breach was minor and unlikely to have caused harm? 

If the breach does not meet the NDB ‘serious harm’ threshold, formal notification under the NDB scheme is not required. However, you should still document the breach, assess and remediate it, and consider whether best practice in your clinical context warrants informing the affected patient regardless. Voluntary notification is always an option. 

Q: How long do we have to notify the OAIC after an eligible data breach is confirmed? 

As soon as practicable after you become aware that an eligible data breach has occurred. There is no fixed number of days for notification once the breach is confirmed — the obligation is prompt notification. The 30-day window applies to the assessment phase, not to notification. 

Q: Can a patient sue us for a privacy breach? 

Under the Privacy Act, the OAIC can investigate complaints, conciliate disputes, and refer serious matters for civil penalty proceedings. Individuals can make complaints to the OAIC, which can result in orders including compensation. State-based privacy legislation (particularly in NSW and VIC) also provides for civil liability in some circumstances.