When a practice discovers that patient information has been lost, stolen, or exposed, the first hours decide how the rest plays out. This guide walks the response in order. For what the Notifiable Data Breach scheme requires in full, read the healthcare data breach obligations guide; this is the do-it-now procedure.
A note on timing: the scheme gives you up to 30 days to assess a suspected breach, and notification is "as soon as practicable" once you decide it is notifiable. The 72-hour framing here is the practical response window, not a legal deadline. Moving fast protects patients and makes the assessment easier, not harder.
Before you begin
Have your data breach response plan open. If you do not have one, that is the first gap to close after this incident; our data breach response plan template gives you the structure. Decide now who leads the response (usually the practice manager or privacy officer) and where you will keep the incident log.
Step 1: Contain the breach
Stop the breach from continuing before you do anything else. Disconnect the affected device or account, reset compromised passwords, recall a misdirected email or fax, or revoke the access that went wrong. The goal is to prevent any further loss or exposure of information while you work out what happened.
Do not delete or "clean up" anything yet. Preserving the affected systems and logs matters for both the assessment and any later investigation, so contain the breach without destroying the evidence of it.
Step 2: Stand up your response team and start the clock
Convene the people who need to act: the response lead, IT or your managed service provider, and the practice owner or principal. Open an incident log and record the time you became aware, what you know so far, and every action from here on with a timestamp. That log is your proof that you responded reasonably and within time.
This is the moment the assessment period begins, so starting a clear, timestamped record now is what makes the rest defensible.
Step 3: Assess whether serious harm is likely
Work out whether this is an eligible breach, which turns on the serious harm test: is the breach likely to result in serious harm to an individual, and can you prevent that harm through remedial action? Weigh the kind of information involved (health information is sensitive and raises the risk), how much there is, who could access it, and whether it was encrypted or already recovered.
If quick remedial action removes the risk of serious harm (for example you recovered the only copy before anyone accessed it), it may not be notifiable. If you cannot rule out serious harm, treat it as notifiable. The notifiable data breach decision tool walks this test with you.
Step 4: Notify the OAIC and affected individuals
If serious harm is likely and you cannot prevent it, you must notify both the OAIC and the affected individuals as soon as practicable. Prepare a statement that sets out what happened, the kinds of information involved, and the steps individuals should take to protect themselves (such as changing passwords or watching for scams). Notify affected patients directly where you can.
Send the statement to the OAIC through its online form and keep a copy with your incident log. Clear, prompt notification is also what limits reputational and legal fallout.
Step 5: Review, remediate, and prevent a recurrence
Once the immediate response is done, find the root cause and close it. If a phishing email or an unpatched system let the breach happen, that points straight at the Essential Eight controls (multi-factor authentication, patching, backups, access control). Fix the specific weakness and check whether the same gap exists elsewhere.
Finally, update your response plan with what you learned, and file the whole incident (log, assessment, notification, remediation) as evidence. A well-documented breach response is exactly what an assessor or the OAIC wants to see.
What good looks like
- You contained the breach within minutes, not days, and preserved the evidence.
- Every action is timestamped in one incident log.
- The serious-harm assessment is written down with the reasoning, not just the conclusion.
- Affected patients were told clearly and given practical steps to protect themselves.
- The root cause was fixed and the response plan updated.
Common mistakes: deleting affected data before assessing, treating "we are not sure" as "not notifiable", missing the affected-individual notification while focusing only on the OAIC, and never closing the root cause so the same breach recurs.
Frequently asked questions
How long do I have to report a data breach in Australia?
You must assess a suspected eligible breach within 30 days of becoming aware of it, and notify the OAIC and affected individuals as soon as practicable once you decide it is notifiable. There is no fixed 72-hour legal deadline under the Notifiable Data Breach scheme; the first 72 hours is simply the practical window in which good responses do the critical work.
What makes a data breach notifiable?
A breach is notifiable when it involves unauthorised access to, disclosure of, or loss of personal information that is likely to result in serious harm to an individual, and you cannot prevent that harm through remedial action. Health information is sensitive, so breaches involving it more readily meet the serious-harm threshold.
Do I have to tell patients, or just the OAIC?
Both. If a breach is notifiable, you must notify the affected individuals as well as the OAIC, and you must give individuals practical steps to protect themselves. Notifying only the regulator is a common and serious mistake.
What if we contained the breach immediately?
If your remedial action means serious harm is no longer likely (for example you recovered the only copy of the data before anyone could access it), the breach may not be notifiable. You still assess and document the decision, because the reasoning is what justifies not notifying.
What should we have ready before a breach happens?
A written data breach response plan, a named response lead, and an incident log template, plus the Essential Eight controls that prevent most breaches in the first place. Having these in place is what lets you move through the first 72 hours calmly.
Key terms
Part of
Privacy & Cyber SecurityLast reviewed