Key Takeaways
- The Cyber Security Act 2024 commenced 30 May 2025 and requires any Australian entity with annual turnover above $3 million to report a ransomware payment to the Australian Signals Directorate within 72 hours of making it.
- This obligation is completely separate from the Notifiable Data Breaches scheme under the Privacy Act. Ransomware payment reporting goes to the ASD; data breach notification goes to the OAIC. A single incident can trigger both obligations simultaneously.
- The civil penalty for a corporate entity that fails to report is $99,000 per contravention. The education-first enforcement phase ended on 31 December 2025. Active enforcement is now underway.
- Healthcare has been Australia's most-breached sector in every OAIC report since 2018, and ASD data shows ransomware incidents against healthcare doubled year-on-year in 2024-25.
- The reporting obligation covers payments made on your behalf. If your insurer or IT provider pays a ransom during incident response, the 72-hour clock starts from when you become aware of the payment.
Australian healthcare practices are now operating under active enforcement of a reporting obligation that many have never heard of. The Cyber Security Act 2024 commenced on 30 May 2025 and introduced, for the first time in Australia, a mandatory requirement to report any ransomware payment to the Australian Government within 72 hours. The education-first phase that ran through December 2025 is over. From 1 January 2026, the Australian Signals Directorate can and will enforce this obligation, and the penalties for non-compliance are not trivial. If your practice turns over more than $3 million annually and has never mapped this obligation into your incident response plan, that is a gap worth closing now.
What the Obligation Actually Requires
The ransomware payment reporting obligation sits under Part 2A of the Cyber Security Act 2024, with detail provided by the Cyber Security (Ransomware Payment Reporting) Rules 2025. The obligation is triggered by a single event: making a payment to a cybercriminal as part of a ransomware or cyber extortion incident.
If your practice is hit by ransomware and chooses not to pay, this specific obligation does not apply. But most of your other obligations under the Privacy Act and the My Health Record Act still do, because a ransomware attack almost always involves unauthorised access to patient data. The 72-hour reporting window begins when your practice makes the payment, or when you first become aware that a payment has been made on your behalf. That second scenario matters: if your cyber insurer or IT provider pays a ransom as part of managing the incident before informing you, the clock runs from the moment you are told, not from when the payment was made.
Reports are submitted through the online portal at cyber.gov.au. The information you must provide includes business identifiers, the timing and nature of the incident, an impact assessment, the type of ransomware involved, vulnerabilities that were exploited, all communications with the extortionists, and payment details. Preparing this information under pressure during an active incident is not realistic unless you have documented it in advance, which is exactly what a tested incident response plan should capture.
Who Is Captured: The $3 Million Threshold
The obligation applies to any entity carrying on business in Australia with annual turnover of $3 million or more in the financial year in which the payment is made. This threshold captures the vast majority of GP practices, specialist clinics, allied health groups, pathology providers, aged care facilities, and private hospitals.
A single-GP solo practice turning over less than $3 million is technically below the threshold, but the threshold is based on the entity's total revenue, not clinical billings alone. If your practice operates across multiple locations, through a corporate entity, or with associated revenue streams, your total turnover may be well above the threshold even if any one site looks modest. Critical infrastructure entities have an additional obligation regardless of turnover. Hospitals with intensive care units are designated critical infrastructure assets under the Security of Critical Infrastructure Act 2018, meaning they are captured by the ransomware reporting rules even if they fall below the revenue threshold.
How This Differs From Your Privacy Act Obligations
This is the most important distinction for practice managers to understand. The Cyber Security Act ransomware payment reporting obligation and the Notifiable Data Breaches scheme under the Privacy Act are completely separate frameworks, administered by different agencies, with different triggers and different timelines.
The NDB scheme requires your practice to notify the OAIC and affected individuals when an eligible data breach occurs and is likely to result in serious harm. This is about the impact on patient data. For a full breakdown of what the NDB scheme requires in a healthcare context, including assessment timelines and the "serious harm" threshold, see our guide to healthcare data breach obligations in Australia. The ransomware payment reporting obligation is about the payment itself, regardless of whether any data was actually compromised or exfiltrated. A practice could theoretically make a ransomware payment, successfully recover its systems without any data being stolen, and still be required to report under the Cyber Security Act.
In practice, a ransomware attack on a healthcare organisation almost always triggers both obligations. The attackers gain access to systems containing patient records, triggering the NDB scheme, and the practice pays to recover access, triggering the Cyber Security Act. You report the payment to ASD through cyber.gov.au within 72 hours, and you separately assess and report the data breach to the OAIC within 30 days of confirming it meets the NDB threshold. If your systems access My Health Record, a third obligation applies under the My Health Record Act to notify both the OAIC and the Australian Digital Health Agency. These obligations do not cancel each other out and each carries its own penalty regime.
The civil penalty for failing to report a ransomware payment under the Cyber Security Act is 60 penalty units: $99,000 for a corporate entity and $19,800 for an individual or unincorporated entity. These penalties apply per contravention and sit on top of any Privacy Act penalties for failing to properly manage the associated data breach.
The Healthcare Threat Context
The reporting obligation exists because of a specific problem: the Australian Government has limited visibility into the scale of ransomware payments being made, which makes it harder to track threat actors and respond at a national level. Healthcare is the sector where that gap matters most.
ASD's Annual Cyber Threat Report for 2024-25 found that ransomware incidents against healthcare doubled year-on-year. Healthcare accounted for 17% of all cybersecurity incidents in Australia in 2024, the highest share of any single sector. ASD data shows malicious actors succeeded in 95% of healthcare sector incidents they responded to, compared to 52% across all other sectors. The Genea Fertility breach in February 2025 saw 700GB of unencrypted patient data published on the dark web. The MediSecure breach in 2024 exposed 12.9 million records. The Medibank incident in 2022 affected nearly 10 million people and is still generating regulatory action three years later.
These are not abstract statistics. They describe a sector that is consistently targeted, consistently compromised, and now subject to a legal obligation to report when it pays criminals to restore access to clinical systems.
What Your Practice Needs to Put in Place
Compliance with the ransomware payment reporting obligation is not primarily a technology problem. It is a process and documentation problem. Your incident response plan must address three specific questions before an incident occurs: who in your practice is responsible for making the decision to pay a ransom, who is responsible for submitting the report to ASD within 72 hours, and who notifies management and your IT provider or MSP the moment an attack begins.
Your cyber insurance policy, if you have one, should be reviewed to understand exactly what your insurer will do in the event of an attack, and specifically whether they or a third-party incident response firm might make a ransom payment on your behalf. If that is possible, you need a protocol for being notified immediately, because the 72-hour clock runs from when you become aware of the payment.
Documenting this in advance is also consistent with the obligations under the RACGP Computer and Information Security Standards (CISS), which require a tested incident response plan as part of the 12 CISS domains assessed at accreditation. If your practice has not yet worked through the full CISS and Essential Eight requirements, our cybersecurity compliance checklist for Australian GP practices covers both frameworks in detail. A documented, tested ransomware response procedure satisfies multiple compliance obligations at once.
How ClinicComply Helps
ClinicComply maps the RACGP CISS requirements, including incident response planning, into a trackable compliance framework. Your practice can document your ransomware response procedure, assign it to the right team member, set review reminders, and upload evidence, all alongside your accreditation checklist and other compliance obligations.
For practices that have not yet mapped the Cyber Security Act ransomware payment reporting obligation into their incident response documentation, ClinicComply provides a structured way to do that before enforcement creates a more urgent problem. Start your free 30-day trial at cliniccomply.com.au.
Frequently Asked Questions
What is the Cyber Security Act 2024 ransomware payment reporting obligation?
The Cyber Security Act 2024 requires any Australian entity with annual turnover above $3 million to report a ransomware or cyber extortion payment to the Australian Signals Directorate within 72 hours of making it. Reports are submitted through the online portal at cyber.gov.au. This obligation is entirely separate from the Notifiable Data Breaches scheme under the Privacy Act, which covers unauthorised access to personal information.
Who has to report ransomware payments under the Cyber Security Act 2024?
Any entity carrying on business in Australia with annual turnover of $3 million or more in the year the payment was made must report. Critical infrastructure entities, including hospitals with ICUs, are also captured regardless of turnover. This covers the majority of GP practices, specialist clinics, allied health groups, aged care facilities, and private hospitals.
How long do I have to report a ransomware payment?
The reporting window is 72 hours, beginning from when your entity makes the payment or when you first become aware that a payment was made on your behalf. If your cyber insurer or IT provider pays a ransom without immediately notifying you, the clock starts from the moment you are told about the payment.
What are the penalties for failing to report a ransomware payment in Australia?
The civil penalty is 60 penalty units per contravention: $99,000 for a corporate entity and $19,800 for an individual or unincorporated entity. The education-first enforcement phase ended on 31 December 2025, and the ASD is now in active enforcement mode.
Is ransomware payment reporting the same as notifying a data breach?
No. These are separate obligations under different laws administered by different agencies. Ransomware payment reporting goes to the ASD via cyber.gov.au within 72 hours of the payment. Data breach notification goes to the OAIC under the NDB scheme within 30 days of confirming an eligible breach. A single ransomware incident in a healthcare practice will often trigger both obligations simultaneously, along with a third obligation under the My Health Record Act if your practice accesses MHR.
Does this obligation apply if we don't pay the ransom?
No. The Cyber Security Act ransomware payment reporting obligation is only triggered if your practice actually makes a payment to the attackers. If you do not pay, this specific obligation does not apply. Your Privacy Act obligations under the NDB scheme still apply to any data that was accessed or stolen during the attack, regardless of whether you paid.
What information do I need to include in a ransomware payment report?
Your 72-hour report to ASD must include your business identifiers, the timing and nature of the incident, an impact assessment, the type of ransomware involved, any vulnerabilities that were exploited, all communications with the extortionists, and the payment details. Preparing this information in advance through a documented incident response plan makes the reporting process significantly more manageable during an active incident.
How does mandatory ransomware reporting differ from the Privacy Act NDB scheme for healthcare?
The ransomware payment reporting obligation under the Cyber Security Act is triggered by the act of paying a ransom, not by a data breach. The NDB scheme under the Privacy Act is triggered when an unauthorised person accesses or discloses personal information and serious harm to individuals is likely. A healthcare practice can trigger the ransomware reporting obligation without any data being stolen, and can trigger the NDB scheme without paying a ransom. In most real healthcare ransomware incidents, both obligations apply at the same time and must be managed in parallel.