Skip to main content

My Health Record

Data breaches

Organisations must notify the Australian Digital Health Agency of any potential or actual data breaches that relate to (or may relate to) the My Health Record system.

Note: data breaches that do not involve the My Health Record system may need to be handled in accordance with the Privacy Act Notifiable Data Breaches scheme.

Data breaches - My Health Records Act 2012

All organisations that are registered to participate in the My Health Record system are required to comply with data breach notification obligations outlined in the My Health Records Act.

According to the My Health Records Act, a data breach occurs when:

  • A person contravenes the My Health Records Act in a manner involving unauthorised collection, use or disclosure of health information included in a person's My Health Record; or
  • A situation involves:
    a) an event that has, or may have, occurred or
    b) circumstances that have, or may have, arisen
    that compromise, may compromise, have compromised or may have compromised, the security or integrity of the My Health Record system (whether or not involving a contravention of the My Health Records Act).

Notification of data breaches - My Health Records Act 2012

Entities using the system must notify the Australian Digital Health Agency (System Operator) of any potential or actual data breaches, as soon as possible. Even if the data breach has been resolved, you must still notify the Agency.

For example, if a healthcare provider’s system is infected with malicious software this could compromise their system and may allow unauthorised access to information in the system. The healthcare provider would need to notify the Agency immediately and at the same time take steps to remove the malicious software from their system.

As the System Operator, we receive data breach notifications so that we can take any additional steps that may be necessary to ensure the ongoing protection of information in the My Health Record system. In addition, we will contact any affected people and provide information so they can implement any steps that might be required in response to the situation.

You can learn more by reviewing the Office of the Australian Information Commissioner (OAIC) Guide to mandatory data breach notification in the My Health Record system.

See "Data breach notification steps" (below) for more information.

Data breach notification steps

A number of steps should be followed when notifying the Australian Digital Health Agency of a potential or actual data breach relating to the My Health Record system. The information on this page provides an overview of these steps.

Steps
If you suspect a data breach has, or may have, occurred, the following steps need to be followed.

1. Contain
  • Take appropriate steps to immediately contain the situation.
  • The action required will depend on what has occurred. For example, you may need to disable user accounts, instruct users to change passwords, or disconnect the system while taking care to maintain evidence.
  • Take steps to reduce the harm healthcare recipients may suffer as a result of the situation.
  • In the case of a security incident, notify the Australian Digital Health Agency as soon as possible, to minimise any potential risk to the My Health Record system.
2. Assess
  • Undertake an initial assessment of the impact and extent of the situation.
  • Identify what personal information has or may have been affected, and consider whether this information relates to the My Health Record system.
  • Determine the cause of the situation (for example, human error, inappropriate behaviour, security attack).
  • Identify what initial action may need to be undertaken to minimise the impact of the situation.
3. Manage notifications
  • Notify the person or team within your organisation who is responsible for My Health Record privacy, security and compliance.
  • Notify the Agency if the matter relates to:
    • a contravention involving unauthorised collection, use or disclosure of health information in a person’s My Health Record, or
    • a security incident or event that may compromise the security or integrity of information in the My Health Record system, even if you are not certain whether it has done
  • Notify the OAIC, except where your healthcare organisation is a state or territory authority or instrumentality
  • Ask the Agency to notify all healthcare consumers that may be affected, and the general public if a significant number of people are impacted. (Note: My Health Record legislation requires organisations to ask that the Agency notify healthcare recipients. This is a requirement even if the organisation has already contacted the healthcare recipients).
4. Continue investigation
  • Conduct an extensive investigation to determine the extent of the situation (there is an expectation that this occur at the earliest opportunity).
  • Take actions to prevent similar situations occurring in the future.
  • Provide updates to the Agency and the OAIC in relation to any additional findings.

How to notify

You will need to complete the Australian Digital Health Agency data breach notification form (PDF, 558.98 KB).

In addition, you will need to notify the Australian Information Commissioner using the OAIC My Health Record data breach notification form, except where your organisation is a state or territory authority or instrumentality.

Checklist for providing a notification

The information you need to provide (at a minimum) regarding the actual or potential data breach is outlined in the checklist below:

  • description of the data breach
  • date and time of the data breach
  • when and how you became aware of the breach
  • cause of the data breach
  • type of information involved
  • how many healthcare consumers were or may have been affected
  • whether the data breach was inadvertent or intentional, as well as whether it has been contained
  • any other entities involved in the data breach
  • whether the data breach appears to stem from a systemic issue or an isolated trigger
  • what action has been taken or is being taken to mitigate the effects of the data breach and/or prevent further data breaches
  • any measures that were already in place to prevent the breach
  • whether your organisation has experienced a similar breach in the past
  • name and contact details for the appropriate contact person within your organisation
  • any other relevant information.

Timing of notifications

When an organisation becomes aware a system data breach has, or may have, occurred, the relevant parties must be notified as soon as practicable. If you think a data breach may have occurred, but this hasn’t been confirmed, you still need to submit a data breach notification.

Notifiable Data Breaches scheme - Privacy Act

There are some situations where a data breach does not have to be reported under the My Health Records Act. This includes situations where a data breach does not relate to the My Health Record System at all, such as an incident where someone has inappropriately accessed information in your payroll system.

Data breaches that do not involve the My Health Record system may still need to be handled in accordance with the Privacy Act Notifiable Data Breaches scheme, which includes a requirement to notify the OAIC when a data breach is likely to result in serious harm to any individuals whose personal information is involved in the breach.

For more information about the Privacy Act Notifiable Data Breaches scheme or how it interacts with the My Health Record Act data breach notification obligations, visit the OAIC’s website.