A number of steps should be followed when notifying the Australian Digital Health Agency of a potential or actual data breach relating to the My Health Record system. The information on this page provides an overview of these steps.
Further information about data breaches is available at - Manage a data breach.
Checklist for providing a notification
The information you need to provide (at a minimum) regarding the actual or potential data breach is outlined in the checklist below:
- description of the data breach
- date and time of the data breach
- cause of the data breach
- type of information involved
- how many healthcare consumers were or may have been affected
- whether the data breach has been contained
- what action has been taken or is being taken to mitigate the effects of the data breach and/or prevent further data breaches
- name and contact details for the appropriate contact person within your organisation
- any other relevant information
Steps for healthcare providers
Once you have notified the Agency and OAIC (if applicable), the following steps need to be taken to confirm and evaluate the data breach.
1. Assess data breach
- Evaluate: assess whether there is a reasonable likelihood that a data breach may have occurred and the effects of the potential data breach may be serious for at least one or more healthcare consumers.
- Contain: a data breach has or is likely to have, occurred, identify risks related to the breach and take steps to prevent additional breaches or system compromise.
2. Request notification
- Assess the seriousness of the effects of each data breach on a case by case basis, taking all relevant circumstances into account.
- Ask the Australian Digital Health Agency to notify all healthcare consumers that may be affected; or the general public if a significant number of people are impacted. (Note: healthcare providers should not contact consumers directly)
3. Continue investigation
- Conduct an extensive investigation to determine the extent of the breach (there is an expectation that this occurs within days, not weeks).
- Notify the relevant parties of any additional findings and take actions to prevent any other potential breaches of a similar nature.
Who to notify
Healthcare providers will need to notify the Australian Digital Health Agency of the data breach.
In addition, you will need to notify the Office of the Australian Information Commissioner (OAIC), except where your healthcare organisation is a state or territory authority or instrumentality.
Timing of notifications
The obligation to notify the relevant parties of a data breach is triggered the moment a healthcare entity becomes aware it has, or may have, occurred. This is necessary regardless of whether only preliminary investigation has been undertaken and the data breach is yet to been completely confirmed.