We're aware of a cyber security incident affecting the electronic prescriptions provider MediSecure. The eRX Script Exchange (eRX) and the National Prescription Delivery Service (NPDS) continue to operate as usual and have not been impacted. Find out more and read our statement here.

Information security in general practice

Notifiable data breaches

    1. Notifiable data breaches

Last revised: 21 Apr 2023

Notifiable data breaches

A data breach occurs when personal information held by your practice is lost or subjected to unauthorised access. All breaches or suspected breaches should be recorded in a data breach register and practice management must be notified whether they are from a cybersecurity attack or otherwise.

Data breaches can occur:

  • through unauthorised access to your databases
  • through intentional and inappropriate disclosure of information by practice team members
  • when personal information is incorrectly disclosed
  • when sending a patient’s personal details and/or health information to the wrong recipient
  • if a practice team member is deceived into improperly releasing the personal information of another person
  • through loss or theft of laptops, mobile devices, or removable storage devices
  • when discarded hard drives or digital storage media still contain your practice information
  • through lost or stolen paper records.

Source of breaches

According to the Australian Government Office of the Australian Information Commissioner (OAIC) (2021), malicious or criminal attacks were the largest source of data breaches notified to the OAIC, accounting for 55% of breaches. Human error remained a major source of breaches, accounting for 41% of breaches.

This indicates that staff training is critical in minimising your practices risk of data breaches as part of a robust information security culture.

OAIC: Source of breaches (2021)10

Australian Government Office of the Australian Information Commissioner (2021) Notifiable Data Breaches Report  Accessed 5 August, 2022.

Top causes of human error breaches included:

  • personal information emailed to the wrong recipient (43%)
  • unintended release of publication (21%)
  • loss of paperwork or data storage device (8%)11

Leading risk – personal information emailed to the wrong recipient

A leading potential risk in a general practice’s information security is the high incidence of personal information being emailed to the wrong recipient, otherwise known as human error.
To reduce such occurrences, it is critical to regularly confirm with each patient that the email address you have listed against their name on your Patient Management System is correct and up to date. Aim to confirm patient email addresses every six months or, at a minimum, annually.
Your entire practice team has a responsibility to ensure cybersecurity measures are in place to protect your practice information systems from cybercrime and online threats. Each person in the practice needs to actively contribute to protecting the practice’s information systems.


Notifiable data breaches

The Privacy Amendment (Notifiable Data Breaches) Act 2017 establishes a Notifiable Data Breaches (NDB) scheme. Organisations covered by the Australian Privacy Act 1988 are required to notify individuals at risk of serious harm caused by a data breach. For further information on notifiable data breaches, visit the OAIC website.

If your practice believes an eligible breach occurred resulting in serious harm to patients, the mandatory notification law requires you to:

  • prepare as soon as practicable a statement for the OAIC detailing the breach
  • subsequently notify each affected patient of the content of that statement (if not practical, your practice must publish a copy of the statement on its website). website

Case study: Privacy breaches and electronic communication

The Australian Information Commissioner ordered a Victorian general practice to pay $16,400 in compensation following a breach of privacy. This is the largest award of compensation made by the Commissioner in the context of a medical or healthcare privacy matter. 
The practice had inadvertently sent an email containing sensitive information to an incorrect email address. The email included information concerning the human immunodeficiency virus status of the complainants. 
Read the full story, complete with recommendations here.12 

10 Australian Government Office of the Australian Information Commissioner . (2001). Notifiable Data Breaches Report . 
11Australian Government Office of the Australian Information Commissioner . (2001). Notifiable Data Breaches Report . 
12 Carter, D., & Hartridge, S. (2002). Privacy breaches and electronic communication: Lessons for practitioners and researchers. Australian Journal of General Practice, 51(7), 497-499.