It’s important to report cyber breaches or incidents as soon as possible to help prevent further damage and to increase the chances of identifying and prosecuting the perpetrators.

What About My Obligations Under My Health Records?

 As a pharmacy owner in Australia, the My Health Records Act 2012 (Cth) outlines several responsibilities that you have concerning the Australian government’s My Health Record system. Some of these responsibilities relating to an incident include:

1. Privacy and security: You must comply with the My Health Records Act 2012 and the Australian Privacy Principles when handling PHI in the My Health Record system. This includes implementing appropriate privacy and security controls to protect the confidentiality and integrity of PHI.
2. Reporting: You must report any data breaches or unauthorised access to PHI in the My Health Record system to the Office of the Australian Information Commissioner and the Australian Digital Health Agency.

What Are The Penalties For Not Complying With The Rules?

Under the Notifiable Data Breaches (NDB) scheme in Australia, if an organisation experiences a data breach that is likely to result in serious harm to any individuals whose personal information is involved, they are required to report the breach to the Office of the Australian Information Commissioner (OAIC) and notify affected individuals as soon as practicable.

The penalties for not reporting a cyber privacy breach in Australia can include the following:

1. Civil penalties: The OAIC can seek civil penalties for serious or repeated breaches of the NDB scheme. The maximum penalty for a serious or repeated breach of the NDB scheme is 10 million Australian dollars (AUD) for a body corporate or 2 million AUD for an individual.

The My Health Records Act 2012 (Cth) outlines penalties for non-compliance with the Act, including fines and potential criminal charges. The specific penalties and consequences for non-compliance are as follows:

1. Criminal penalties: The My Health Records Act 2012 provides criminal penalties for certain offences. For example, it is an offence to intentionally access or disclose PHI in the My Health Record system without authorisation, with a maximum penalty of 2 years imprisonment for an individual or 10 years imprisonment for a corporate body.

2. Civil penalties: The My Health Records Act 2012 provides for civil penalties for certain breaches of the Act. For example, suppose a healthcare provider fails to obtain an individual’s consent before uploading their personal health information (PHI) to the My Health Record system. In that case, they may be liable for a civil penalty of up to 5,000 penalty units (currently $1.11 million) for a corporate body or 1,000 penalty units (now $222,000) for an individual.

Alongside the financial and legal penalties, the following impacts may also apply to your business:

1. Reputational damage: Non-compliance with the My Health Records Act 2012 can also damage your pharmacy’s reputation, potentially impacting customer trust and loyalty.

2. Loss of business: In addition to the above penalties, non-compliance with the Act can also result in loss of business and revenue if customers choose to take their business elsewhere due to privacy and data protection concerns.