🗒 Massive fines for data breaches

When running your own practice or working in a dental or medical practice, it is important to ensure you are using secure electronic communication to protect the data of your patients. As technology progresses, the need for strong data management has become essential in the running of a practice.

The Law has changed

As of 22 February 2018, new legislative requirements under the Federal Government's Notifiable Breaches scheme came into effect. The aim of this was to outline new standards of accountability and transparency to protect individuals'; personal information. As a practice you have access to patient records and private information and this information must be protected.

The scheme stipulates that any entity subject to the Privacy Act 1988 with an annual turnover of more than $3 million is required to notify individuals if their personal data has been involved in a serious breach. For those who don't comply, the fines are up to $420,000 for individuals (serious or repeated interference with privacy) and up to $2.1 million for corporations.

As with any personal data and information breaches, the accidental release of people's health records and Medicare card information can cause ‘serious harm’, ruin reputations and cause distrust of that organisation.

Harm can include psychological, emotional, physical, reputational or other forms of harm and ‘requires an objective assessment, determined from the viewpoint of a reasonable person in the entity's position.

Here are some key points from the Office of the Australian Information Commissioner - OAIC on the Notifiable Data Breaches Scheme

What is a data breach?

A data breach occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure. An individual has the potential to be placed under serious harm as a result of a data breach or your practice has not been able (or has not acted swiftly) to prevent this serious harm.

Examples of a data breach include when:

  • a device containing customers personal information is lost or stolen
  • a database containing personal information is hacked
  • personal information is mistakenly provided to the wrong person

The type or types of personal information involved in the data breach

Some kinds of personal information may be more likely to cause an individual serious harm if compromised. Examples of the kinds of information that may increase the risk of serious harm if there is a data breach include:

  • sensitive information such as information about an individual's health
  • documents commonly used for identity fraud (including Medicare card, driver licence, and passport details)
  • financial information
  • a combination of types of personal information (rather than a single piece of personal information) that allows more to be known about the individuals the information is about.

Steps to take if a data breach occurs

There are three options for notifying affected individuals:

  • Notify all individuals whose personal information was involved
  • Notify only those who are at likely risk of serious harm; or
  • If direct notification is not practicable: publish the notification, and take reasonable steps to publicise it.

Notification can be via your normal methods of communication.

The faster an entity responds to a data breach, the more likely it is to effectively limit any negative consequences. A data breach response plan is essential to facilitate a swift response and ensure that any legal obligations are met following a data breach.

An effective data breach response generally follows a four-step process — contain, assess, notify, and review.

My Health Record system data breaches

Certain participants in the My Health Record system (such as the System Operator, a registered healthcare provider organisation, a registered repository operator, a registered portal operator or a registered contracted service provider), are required to report data breaches that occur in relation to the My Health Record system to either the System Operator or the Commissioner, or both, depending on the entity reporting the data breach (s 75 of the My Health Records Act). If a data breach has been, or is required to be, notified under s 75 of the My Health Records Act, the NDB scheme does not apply (s 26WD). This exception is intended to avoid duplication of notices under the NDB scheme and the data breach notification requirements in the My Health Record system.

Information about data breach notification requirements of the My Health Records Act is available in the OAIC’s Guide to mandatory data breach notification in the My Health Record system.

Only notifications under s 75 of the My Health Records Act fall within this exception. Notifications under other schemes such as that within the National Cancer Screening Register Act are not excluded from the NDB scheme.


A practice manager who has access to the My Health Record system for administrative purposes only, accesses a patient’s My Health Record clinical information without authorisation. The GP discovers this incident and immediately notifies the System Operator and the Commissioner as required under s 75 of the My Health Records Act. There is no need to also notify this data breach under the Privacy Act.

At or about the same time, the practice manager also accesses the GP’s clinical database (not part of the My Health Record system), and downloads their ex-partner’s health information without authorisation. Upon discovering this incident, the GP takes immediate steps to contain the breach and, due to the nature of the relationship between the practice manager and the patient, decides there is a likelihood of serious harm to the patient in the circumstances. The GP notifies the patient and the Commissioner about the data breach, as required under the Privacy Act’s NDB scheme.


Notifiable data breaches flowchart

If you have any questions regarding your membership, please contact MIPS' Support and Advice line on 1800 061 113.

Back to top