Skip to main content

My Health Record Data Breach Notification

About this form

This form is intended for use by reporting entities, including organisations that are registered to participate in My Health Record as a healthcare provider organisation, contracted service provider, portal operator or repository operator.

Reporting entities must notify the Australian Digital Health Agency (the Agency), as system operator for My Health Record, of any actual or potential data breach. Data breach notifications must be submitted as soon as practicable after the reporting entity becomes aware that the breach has, or may have, occurred (regardless of whether or not the data breach has been confirmed). 

A My Health Record data breach involves either (or both) of the following:

  • unauthorised collection, use or disclosure of information in a person’s My Health Record
  • an event or circumstance that has (or may) compromise the security or integrity of the My Health Record system.

My Health Record data breach notification requirements are outlined in the My Health Records Act 2012. Further information is available on the Australian Digital Health Agency website.

Note: Data breaches that do not involve My Health Record may need to be handled in accordance with the Privacy Act 1988 Notifiable data breaches scheme.

Asking the Agency to inform affected individuals

If a data breach has occurred, section 75(6)(d) of the My Health Records Act requires the reporting entity to ask the Agency to notify all healthcare recipients affected by the data breach (and the general public if a significant number of healthcare recipients are affected).

If a data breach may have occurred, section 75(5)(c) of the My Health Records Act requires the reporting entity to ask the Agency to notify all healthcare recipients that would be affected by the data breach, if there is a reasonable likelihood that the data breach has occurred and the effects might be serious for at least one healthcare recipient.

Notifying the Office of the Australian Information Commissioner

With some exceptions (see note below), reporting entities are also required to notify the Office of the Australian Information Commissioner (OAIC) of an actual or potential data breach. The OAIC will issue a data breach reference number, and a copy of this reference number should be provided to the Agency. For further information, and instructions on how to notify the OAIC, please visit the OAIC’s Report a My Health Record data breach webpage and refer to the Guide to mandatory data breach notification in the My Health Record system.

Note: the requirement to notify the OAIC does not apply if the organisation is a state or territory authority or instrumentality, which are only required to notify the Agency (see sections 75(2)(c) and 75(2)(d)) of the My Health Records Act). State and territory bodies may also be required to comply with mandatory reporting schemes for their jurisdiction or may choose to voluntarily report data breaches to their local privacy regulator in addition to reporting to the Agency.

Privacy policy

For more information on how the Agency handles your personal information, how you can access and seek correction of the information, how privacy complaints can be made, and how the Agency deals with such complaints, please see the Agency privacy policy.

1. Health Provider Organisation Details

2. Details of My Health Record data breach

Please include details of any:
  • contravention of the My Health Records Act 2012, involving suspected/actual unauthorised collection, use or disclosure of health information included in a healthcare recipient’s My Health Record
  • events/circumstances that compromise (or may compromise) the security or integrity of the My Health Record System.

Date and time of the actual or potential data breach

Please do not include personal details
Please include details of whether the data breach was deliberate, malicious, inadvertent or intentional and whether it was caused by a systemic issue or an isolated situation.
For example, policies and procedures, user account management measures, training programs, cyber security controls etc.
Please provide details, including entity name(s) and outline how they are involved in the breach
Please provide details, including date(s), reference numbers and other relevant information

3. OAIC Notification

Please refer to OAIC notification requirements (above)

4. Request to notify affected individuals

Note: only one option should be selected (A or B). Refer to the explanatory notes (above) for further information.

(A) Where a data breach has occurred

If a data breach has occurred, please tick this checkbox:

Note: where a data breach has occurred, it is a legislative requirement that the organisation must request the Agency (system operator) to notify affected healthcare recipients.
(B) Where a data breach may have occurred - are healthcare recipients to be notified?

Is it reasonably likely that a data breach has occurred, and the effects might be serious for at least one healthcare recipient?

5. Contact details for provision to individuals affected by the data breach

Please provide the contact details (name, position title, email address and/or phone number) of a person that affected individuals can contact if they wish to discuss the matter with your organisation. If this is another individual, please obtain consent before providing personal information. Where healthcare recipients are contacted, please note that these details will be provided to the healthcare recipients.

6. Confirmation

Date last updated: 28 March 2024