My Health Record

Data breaches

Data breach notification form

Use this online notification form to notify the Agency of a data breach involving My Health Record. Alternatively, a downloadable version (PDF, 1.17 MB) is available.

Legislation

Organisations participating in the system are required to understand and comply with a range of legislative obligations including the following legislation:

My Health Records Act 2012, My Health Records Rule 2016, My Health Records Regulation 2012, My Health Records (Assisted Registration) Rule 2015, Healthcare Identifiers Act 2010, Privacy Act 1988

Healthcare provider organisations must notify the Australian Digital Health Agency of any potential or actual data breaches that relate to (or may relate to) the My Health Record system. Other data breaches that do not involve the system may need to be handled in accordance with the Privacy Act Notifiable Data Breaches scheme.

Data breaches - My Health Records Act 2012

The characteristics of a breach of health and personal information relating to the system are outlined in the My Health Records Act.

According to the My Health Records Act, a data breach involves:

  • The unauthorised collection, use or disclosure of health information in an individual’s My Health Record; or
  • A situation where:
    a) an event that has, or may have, occurred or
    b) any circumstances have, or may have, arisen
    that compromise, may compromise, have compromised or may have compromised, the security or integrity of the My Health Record system (whether or not involving a contravention of the My Health Records Act).

Notification of data breaches - My Health Records Act 2012

Entities using the system must notify the Australian Digital Health Agency (System Operator) of any potential or actual data breaches, as soon as possible. Even if the data breach has been resolved, you must still notify the Agency.

For example, if a healthcare provider’s system is infected with malicious software this could compromise their system and may allow unauthorised access to the information in the system. The provider would need to notify the Agency immediately and at the same time take steps to remove the malicious software from their system.

As the System Operator, we need to take steps to ensure all of the information in the system is secure. Healthcare consumers must also be allowed to take steps to mitigate any risks to their data.

You can learn more by reviewing the OAIC’s Guide to mandatory data breach notification in the My Health Record system.

See "Data breach notification steps" (below) for more information.

Data breach notification steps

A number of steps should be followed when notifying the Australian Digital Health Agency of a potential or actual data breach relating to the system. The information on this page provides an overview of these steps.

Steps for healthcare providers
If you suspect a data breach has, or may have, occurred, the following steps need to be followed. 

1. Contain 
  • Take appropriate steps to immediately contain the situation. 
  • The action required will depend on what has occurred. For example, you may need to disable user accounts, instruct users to change passwords, or disconnect the system while taking care to maintain evidence. 
  • Take steps to reduce the harm healthcare recipients may suffer as a result of the situation. 
  • In the case of a security incident, notify the Australian Digital Health Agency as soon as possible, to minimise any potential risk to the My Health Record system. 
2. Assess 
  • Undertake an initial assessment of the impact and extent of the situation. 
  • Identify what personal information was or may have been affected, and consider whether this information relates to the My Health Record system.
  • Determine the cause of the situation (for example, human error, inappropriate behaviour, security attack).
  • Identify what initial action may need to be undertaken to minimise the impact of the situation. 
3. Manage notifications 
  • Notify the person or team within your organisation who is responsible for My Health Record privacy, security and compliance. 
  • Notify the Agency if: 
    • the matter relates to a contravention involving unauthorised collection, use or disclosure of information in a person’s My Health Record, or 
    • a security incident has occurred, even if you are not certain whether My Health Record information is affected. 
  • Notify the Office of the Australian Information Commissioner (OAIC), except where your healthcare organisation is a state or territory authority or instrumentality. Notify OAIC in relation to: 
    • the matter relates to a contravention involving unauthorised collection, use or disclosure of information in a person’s My Health Record, or 
    • a security incident has occurred, even if you are not certain whether My Health Record information is affected. 
    • For non-My Health Record related matters, refer to the Privacy Act Notifiable Data Breaches scheme information. 
  • Ask the Agency to notify all healthcare consumers that may be affected; or the general public if a significant number of people are impacted. (Note: My Health Record legislation requires healthcare providers to ask that the Agency notify healthcare recipients. This is a requirement even if the healthcare provider has already contacted the healthcare recipients). 
4. Continue investigation 
  • Conduct an extensive investigation to determine the extent of the situation (there is an expectation that this occur at the earliest opportunity). 
  • Take actions to prevent similar situations occurring in the future. 
  • Provide updates to the Agency and the OAIC in relation to any additional findings. 

Who to notify

You will need to complete the Australian Digital Health Agency’s online data breach notification form. Alternatively, the form can be downloaded (PDF, 1.17 MB) and, once completed, sent to the email address provided.

Checklist for providing a notification

The information you need to provide (at a minimum) regarding the actual or potential data breach is outlined in the checklist below:

  • description of the data breach
  • date and time of the data breach
  • when and how you became aware of the breach
  • cause of the data breach
  • type of information involved
  • how many healthcare consumers were or may have been affected
  • whether the data breach was inadvertent or intentional, as well as whether it has been contained
  • any other entities involved in the data breach
  • whether the data breach appears to stem from a systemic issue or an isolated trigger
  • what action has been taken or is being taken to mitigate the effects of the data breach and/or prevent further data breaches
  • any measures that were already in place to prevent the breach
  • whether your organisation has experienced a similar breach in the past
  • name and contact details for the appropriate contact person within your organisation
  • any other relevant information.

Timing of notifications

When a healthcare entity becomes aware a system data breach has, or may have, occurred, the relevant parties must be notified. If you think a data breach may have occurred, but this hasn’t been confirmed, you still need to submit a data breach notification. 

Notifiable Data Breaches scheme - Privacy Act

There are some situations where a data breach does not have to be reported under the My Health Records Act. This could include, for example, where a data breach does not relate to the My Health Record System at all.

These data breaches, however, may still need to be handled in accordance with Privacy Act  Notifiable Data Breaches scheme, which includes a requirement to notify the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to result in serious harm to any individuals whose personal information is involved in the breach.

For more information about the Privacy Act Notifiable Data Breaches scheme or how it interacts with the My Health Record Act data breach notification obligations, visit the OAIC’s website.