News & media

Home / News & media / Latest news / I’ve had a data breach – what do I need to do?

29 April 2025

I’ve had a data breach – what do I need to do?

In an era of digital patient records, online bookings, and cloud based dental software, data breaches are a growing risk for Victorian dental practices. A data breach occurs when personal information an organisation or agency holds is lost or subjected to unauthorised access or disclosure. Breaches can be caused by cyberattacks, human error or lost devices, and can result in violations of Victorian privacy laws, regulatory action and reputational damage.

If you experience a data breach, it’s crucial to act swiftly and methodically and to contact ADAVB for advice and guidance.

1. Identify and contain the breach

  • Determine what data has been compromised including patient records, Medicare details and financial information.
  • Immediately contain the breach by shutting down affected systems, revoke access, or restore backups.
  • Review and update internal security measures including blocking and changing passwords.

2. Assess the risk and impact

  • Evaluate the sensitivity of the exposed data considering health records, financial details, and personal identifiers.
  • Consider the potential harm to affected individuals such as identity theft, fraud, or emotional distress.
  • Serious harm is not defined in the Privacy Act 1988, however the Memorandum states that it could include: “Serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation and other forms of serious harm that a reasonable person in the entity’s position would identify as a possible outcome of the data breach.”1
  • Determine if the breach is serious enough to trigger mandatory reporting.

3. Notify authorities (if required)

  • Under the Notifiable Data Breaches (NDB) scheme any organisation or agency the Privacy Act 1988 covers must notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when the breach is deemed to result in serious harm to an individual then there is an obligation to:
    • Report eligible breaches to the OAIC within 30 days using the Notifiable Data Breach form.
    • Notify affected patients advising them of risks and necessary precautions, such as monitoring accounts and changing passwords.
  • Failure to notify may attract a civil penalty.2
  • If a crime is suspected, the police should also be notified.

4. Review

  • Ensure secure data storage with encryption and access controls.
  • Train staff on data privacy compliance to prevent human error-based breaches.
  • Regularly back up data and perform security audits to mitigate future risks.

Join our upcoming free CPD webinar on cyber attacks for timely, practical guidance to help protect your practice — register today.

Dr Raj DK Dhaliwal
BDS LLM MDentSci MRACDS (DPH) MFGDPRCS FICD FPFA GAICD

1. Privacy Amendment (Notifiable Data Breaches) Bill 2016 Explanatory Memorandum
2. Privacy Act 1988 (Cth) s13

Cyber attack - Are you ready? Practical advice to protect your practice from cyber threats

19 Jun

Cyber attack - Are you ready? Practical advice to protect your practice from cyber threats

Dr Linton Nash
1 NON- CLINICAL HOUR. FREE
Practical advice to protect your practice from cyber threats.