Key Takeaways
- Healthcare has been Australia's most-breached sector in every OAIC report since the NDB scheme launched in 2018, accounting for around 18-20% of all notifications.
- In October 2025, a healthcare company received Australia's first ever civil penalty under the Privacy Act: $5.8 million. They were penalised not just for being hacked, but for how slowly they responded and how inadequate their security was beforehand.
- A single healthcare data breach can trigger three separate reporting obligations at the same time, each with different deadlines and different recipients: the NDB scheme (Privacy Act), the My Health Record Act, and the Cyber Security Act 2024 ransomware reporting rule.
- The NDB scheme applies to all healthcare providers regardless of practice size or annual turnover. Allied health sole traders have the same obligations as a large hospital group.
- Human error, not ransomware, caused 37% of all notifiable data breaches in the first half of 2025. Misdirected emails, wrong patient records, and fax errors are just as reportable as a cyberattack.
In October 2025, the Federal Court ordered Australian Clinical Labs to pay $5.8 million in civil penalties under the Privacy Act 1988. It was the first time in Australian history that any organisation had received a civil penalty under the Act. The breach itself happened in February 2022, a ransomware attack on Medlab Pathology that exposed the health records of more than 223,000 people. But the penalties were not handed down simply because ACL was attacked. They were issued because ACL took months to assess what had happened, was too slow to notify the OAIC, and did not have reasonable security measures in place to begin with. Each of those failures was its own category of civil penalty. That distinction matters for every healthcare practice in Australia, regardless of size.
Why Healthcare Is Always at the Top
The Office of the Australian Information Commissioner publishes data breach statistics every six months under the Notifiable Data Breaches scheme. Healthcare has been the top-reporting sector in every single period since the scheme launched in 2018. In the first half of 2025, health service providers accounted for 18% of all notifications nationally. In the second half of 2024, that figure was 20%.
The reasons are structural. Health information is among the most sensitive personal data in existence. It is stored across dozens of interconnected systems including practice management software, pathology platforms, imaging systems, and the My Health Record network. Practices share records with third-party providers, specialists, pharmacies, and hospitals constantly. That creates a very wide attack surface, and ransomware groups know exactly how valuable the data is.
The ASD's Annual Cyber Threat Report for 2024-25 found that ransomware incidents against healthcare doubled year-on-year. It also found that malicious actors succeeded in 95% of healthcare sector incidents ASD responded to, compared to around 52% across all other sectors. Healthcare systems are compromised far more successfully than systems in other industries, and the data inside them is worth far more on the dark web.
Two recent breaches illustrate what is at stake. The MediSecure incident in April 2024 was a ransomware attack on an e-prescriptions provider that affected 12.9 million Australians, roughly half the population, exposing Medicare numbers, health identifiers, and prescription histories. The Genea Fertility breach in February 2025 involved around 700GB of IVF patient data published on the dark web, including diagnoses, treatment plans, and pathology results. In both cases, the breaches traced back to third-party suppliers or unencrypted data stores, not the clinic itself. Your legal obligations as a health provider can be triggered by a vendor's breach, not just your own.
The Three Reporting Obligations You May Not Know You Have
Most practice managers know that a serious data breach needs to be reported somewhere. Far fewer know that the same incident can require three separate reports, to three different bodies, under three different laws, with different timelines.
The first is the Notifiable Data Breaches scheme under the Privacy Act 1988. This applies to all health service providers in Australia, with no turnover threshold. Health information is explicitly excluded from the small business exemption that applies to other sectors. If you hold patient records, you are covered. When you become aware of a suspected eligible data breach, meaning unauthorised access to or disclosure of personal information that is likely to cause serious harm, you must assess the situation within 30 days and notify both the OAIC and the affected individuals as soon as practicable after confirming the breach.
The second is the My Health Record Act 2012, which sits alongside the Privacy Act and adds a separate layer for practices connected to the national health record system. Under this Act, you must notify both the OAIC and the Australian Digital Health Agency as soon as practicable of any actual or suspected breach involving My Health Record data. The trigger here is lower than under the NDB scheme: you must notify when a breach may have occurred, not just when you have confirmed it. Penalties under this Act reach up to $108,000 for an organisation.
The third is the Cyber Security Act 2024, which came into force on 30 May 2025. Under this Act, any entity with annual turnover above $3 million must report a ransomware payment to the Australian Signals Directorate within 72 hours of making the payment or becoming aware that it was made. This is not a breach notification, it is a payment notification, and it is a separate requirement to anything under the Privacy Act. If your practice is hit by ransomware and pays a ransom, you have a 72-hour window to report to ASD via cyber.gov.au, regardless of what else you are doing to manage the incident.
These three obligations run in parallel. A single ransomware attack that encrypts patient records could simultaneously start the 30-day NDB assessment clock, trigger the My Health Record notification requirement, and require a 72-hour payment report to ASD. Understanding which obligation is live and what action it requires is not optional once an incident begins.
What the 30-Day Assessment Window Actually Means
The 30-day window under the NDB scheme is widely misunderstood. Many practices assume it means they have 30 days to decide whether to report a breach. That is not how it works.
The 30-day clock starts as soon as you have reasonable grounds to suspect an eligible data breach may have occurred. From that moment, you must take reasonable and expeditious steps to assess whether the breach meets the criteria. If you confirm it does, you must notify the OAIC and affected individuals as soon as practicable after that confirmation. The 30 days is the ceiling on your assessment period, not a delay before action.
In practice, when ransomware is involved, you need to be moving within hours, not days. In the ACL case, the breach occurred in February 2022 and the dark web data was identified in June 2022. ACL's failure to act promptly on that information was one of the three categories of penalty. The court found that the 30-day assessment obligation requires genuine urgency, not a leisurely review process.
What Reasonable Steps Under APP 11 Actually Means for Your Practice
Australian Privacy Principle 11 requires health service providers to take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure. The $4.2 million component of the ACL penalty, the largest portion of the total, was issued entirely for failing to meet this standard.
For a medical practice, reasonable steps under APP 11 are not about perfection. They are about proportionate, documented security measures that match the sensitivity of the information you hold. That includes having a current data breach response plan, configuring your practice management software with appropriate access controls, training staff on what constitutes a reportable incident and what to do when one occurs, keeping software and systems updated, and knowing which third-party vendors have access to your patient data.
The Privacy and Other Legislation Amendment Act 2024, which received Royal Assent in December 2024, added a new APP 11.3 requiring specific technical and organisational measures to protect personal information. That is a higher standard than the previous general obligation. If your security practices have not been reviewed since before December 2024, they may not currently meet the statutory standard.
Human Error Is the Overlooked Breach Vector
Every media report about healthcare data breaches focuses on ransomware. The statistics tell a more complicated story. In the first half of 2025, 37% of all notifiable data breach causes were human error, up from 29% in the prior period. In healthcare specifically, human error has historically been one of the leading causes of breaches.
Misdirected emails with patient information attached, faxes sent to the wrong number, letters posted to outdated addresses, clinical notes accidentally visible on a shared screen, medical imaging accidentally sent to the wrong patient portal. These are all eligible data breaches if they result in unauthorised disclosure of health information that is likely to cause serious harm. They are also far more common than ransomware attacks and often go unreported because practices do not realise they count.
Staff training on what constitutes a reportable breach, documented processes for identifying and escalating suspected incidents, and a clear internal pathway from discovery to assessment to notification are the practical controls that address human error. These are not expensive technology investments. They are process and documentation investments that sit entirely within a practice manager's control.
How ClinicComply Helps
ClinicComply tracks your compliance against the Notifiable Data Breaches scheme and the Privacy Act Australian Privacy Principles in one place. The platform includes a dedicated NDB incident wizard that walks you through the assessment process step by step, keeping a documented record of your decisions and timeline as you go. That documentation matters: it demonstrates to the OAIC that your practice followed a reasonable and expeditious process, which is exactly what the ACL penalty highlights as the standard you are held to.
For vendor risk, ClinicComply's vendor management module lets you track which third-party suppliers have access to your patient data, store their privacy agreements, and set review reminders. Given that both MediSecure and Genea trace back to supplier or infrastructure failures, knowing which vendors hold your data and what security commitments they have made is a basic piece of due diligence that most practices currently do informally or not at all.
If your practice does not currently have documented breach response processes or a structured approach to tracking your privacy obligations, now is the right time to put both in place. Start your free 30-day trial at cliniccomply.com.au.
Frequently Asked Questions
Does the Notifiable Data Breaches scheme apply to small medical practices?
Yes. The NDB scheme applies to all health service providers in Australia regardless of size or annual turnover. Health information is explicitly excluded from the small business exemption that would otherwise apply to organisations with less than $3 million in annual turnover. A sole trader GP, a small physiotherapy clinic, a two-person psychology practice, and a large hospital group all have the same obligations under the NDB scheme.
What is an eligible data breach under the NDB scheme?
An eligible data breach occurs when personal information is accessed by or disclosed to an unauthorised person, or is lost in circumstances where unauthorised access is likely, and a reasonable person would conclude that the breach is likely to result in serious harm to one or more affected individuals. Remedial action that genuinely prevents the risk of serious harm before it occurs can prevent a breach from being notifiable, but this is a high bar and requires documented evidence.
How long do I have to report a data breach in Australia?
Under the NDB scheme, you must assess a suspected eligible data breach within 30 days of first having reasonable grounds to suspect it occurred. Once you confirm the breach meets the eligibility criteria, you must notify the OAIC and affected individuals as soon as practicable. There is no fixed deadline for notification after confirmation, but the OAIC expects prompt action and the ACL case demonstrates that delays are penalised. For a My Health Record breach, notification to the OAIC and ADHA is required as soon as practicable after you suspect it may have occurred.
What is the 72-hour ransomware reporting rule in Australia?
The Cyber Security Act 2024, in force from 30 May 2025, requires any entity with annual turnover above $3 million to report a ransomware payment to the Australian Signals Directorate within 72 hours of making the payment or becoming aware of it. Reports are made through the cyber.gov.au portal. This obligation is separate to the NDB scheme notification: you are reporting the payment, not the breach. Failure to report attracts a civil penalty of up to 60 penalty units.
What was the Australian Clinical Labs penalty and what does it mean for my practice?
In October 2025, the Federal Court ordered Australian Clinical Labs (which operated Medlab Pathology) to pay $5.8 million in civil penalties under the Privacy Act 1988. The penalty comprised $4.2 million for failing to take reasonable steps to protect patient data under APP 11, $800,000 for failing to assess the suspected breach promptly, and $800,000 for failing to notify the OAIC in a timely manner. The case is cited as Australian Information Commissioner v Australian Clinical Labs (No 2) [2025] FCA 1224. For any healthcare practice, the lesson is that the penalties attach to how you respond, not just to the breach itself. Slow assessment, delayed notification, and inadequate security are each independently penalised.
Do allied health providers have to report data breaches?
Yes. Physiotherapists, psychologists, occupational therapists, speech pathologists, podiatrists, dentists, optometrists, and all other allied health providers are health service providers under the Privacy Act and are subject to the NDB scheme regardless of practice size. Health information, meaning information or an opinion about a person's health or disability, attracts the highest level of protection under Australian privacy law and is explicitly excluded from the small business exemption.