Services › Incident Response & Breach Preparation
Incident Response & Breach Preparation
Know exactly what to do before something goes wrong.
When a data breach occurs, the first 24 hours are critical. Notification deadlines begin running immediately. Evidence can be lost. The wrong response can turn a manageable incident into a significant regulatory and reputational problem. This service ensures your practice has a tested, documented plan — and that your team has practised using it before it matters.
The first 24 hours define the outcome
Under the Notifiable Data Breaches scheme, practices must notify the OAIC within 30 days of becoming aware of an eligible data breach. But the practical clock starts much sooner — evidence needs to be preserved, systems may need to be isolated, and decisions about patient notification often need to be made within hours, not weeks.
Most practices we speak with don't have a documented response plan. When a breach occurs — ransomware, a misdirected email containing patient records, or unauthorised access to the PMS — they're working it out in real time, under pressure, without knowing who's responsible for what or who to call first.
A tested, documented plan doesn't eliminate incidents. But it dramatically improves how quickly and effectively your practice responds — and it demonstrates to the OAIC that you took your obligations seriously, which matters if you're ever investigated.
30 days
Maximum time to notify the OAIC after becoming aware of an eligible data breach under the NDB scheme
Privacy Act 1988, Part IIIC
72 hours
Insurers and legal advisors recommend beginning breach response activities within 72 hours of discovery
Industry standard for breach response
New tort
Patients can now personally sue for serious privacy breaches — a documented response can demonstrate reasonable remediation steps
Privacy and Other Legislation Amendment Act 2024
What we cover in your plan
Your plans are customised to your practice's systems, team structure, and specific regulatory obligations — not adapted from a generic template.
NDB scheme notification obligations
When notification is required, who notifies, how to complete the OAIC form, and what the 30-day timeline means in practice.
My Health Records Act breach reporting
Separate reporting obligations under the My Health Records Act for practices registered with the system.
OAIC notification process
Step-by-step guidance on the OAIC notification process — what to include, what to expect, and how to communicate with the OAIC.
Cyber Security Act ransomware reporting
For practices with turnover above $3M, reporting obligations under the Cyber Security Act 2024 when ransomware payments are made.
Internal escalation and roles
Who does what in the first hour, first day, and first week — including IT provider coordination and when to engage external legal or forensic support.
Patient notification templates
Draft notification letters for different breach scenarios, ready to adapt and send when needed — not something to draft under pressure.
The tabletop exercise
A documented plan is only as useful as the team's ability to use it. The tabletop exercise gives your key staff the chance to practise a realistic breach scenario before it matters.
Realistic healthcare scenarios
We present a breach scenario relevant to your practice — ransomware encrypting your PMS, a misdirected email with patient records, or unauthorised access by a former staff member — and walk your team through the response step by step.
Tests roles and decision-making
Your practice manager, lead clinician, and IT provider coordinator each have specific responsibilities. The exercise tests whether everyone knows their role and can make the right decisions under pressure.
Identifies gaps in the plan
Almost every tabletop exercise reveals something the plan doesn't cover — a contact number that's missing, an escalation path that's unclear, or a system that nobody knows how to isolate. Better to find these gaps now.
Builds confidence
Staff who have walked through a breach scenario once are significantly more confident and effective when a real incident occurs. The exercise turns a theoretical plan into muscle memory.
Two options to suit your needs
Start with the plans if you need documentation quickly, or get the full engagement including the tabletop exercise to make sure your team can actually use them.
Plans Only
Documentation without the exercise
- 1
Customised Data Breach Response Plan
Step-by-step response procedures mapped to NDB scheme, My Health Records, and OAIC notification requirements
- 2
Customised Incident Response Plan
Broader response plan covering ransomware, malware, system outages, and other security incidents beyond data breaches
- 3
Key contacts card
Wallet-sized reference card with the critical contacts and first steps — for when people need guidance fast
- 4
Walkthrough call
Review session to ensure your team understands the plans and their roles
Best for: Practices that need documented plans quickly — for insurance purposes, accreditation, or after a near-miss — and will add the tabletop exercise later.
Plans + Tabletop Exercise
Documentation and team practice
Everything in Plans Only, plus:
- 5
Tabletop exercise
60–90 minute guided walkthrough of a realistic breach scenario with your key staff — tests your plan, your team's roles, and your decision-making under pressure
- 6
Post-exercise debrief
Discussion of what worked, what didn't, and any gaps identified — with plan updates incorporated where needed
Best for: Any practice that wants to be genuinely prepared — not just compliant on paper. Particularly valuable for practices without cyber insurance, or those that have experienced a near-miss.
How it works
A structured engagement that produces ready-to-use plans, not theoretical frameworks.
Scoping call
We learn about your practice's systems, team structure, IT provider arrangements, and any specific incidents or concerns that should be addressed in the plans.
We draft your plans
Both plans are customised to your practice — your PMS, your team roles, your IT contacts, and your specific regulatory obligations. Delivered as editable Word documents.
Review and walkthrough
We walk through the plans with you and your practice manager to ensure everything is accurate and your team understands their roles.
Tabletop exercise (if included)
Scheduled 1–2 weeks after plan delivery. We run a realistic scenario with your key staff and debrief afterwards. Plan updates incorporated where needed.
Be ready before something goes wrong
Start with a free 15-minute scoping call. We'll understand your practice's setup, confirm which option suits you, and provide a fixed quote — no obligation.
Already have plans but not sure if they're up to date? We can review and update existing plans — get in touch to discuss.
Frequently asked questions
We already have a data breach response plan — do we still need this?
Possibly — it depends on the plan. Generic templates downloaded from the internet often don't reference your specific systems, team roles, or the regulatory frameworks that apply to your practice. They also rarely include the OAIC notification process or My Health Records obligations. We can review your existing plan and update it where needed rather than starting from scratch — ask about this on the scoping call.
Who should participate in the tabletop exercise?
At minimum: your practice manager, your lead GP or clinical director, and whoever coordinates with your IT provider. For larger practices, it's also useful to include your front desk lead. The exercise works best with 3–6 people — enough to test roles without becoming unwieldy.
Do we need cyber insurance before doing this?
No — and in fact, this service can help you get cyber insurance. Many insurers now require documented incident response plans as a condition of coverage, or offer reduced premiums for practices that have them. If you're applying for cyber insurance, a completed plan from this engagement can be submitted as evidence of your preparedness.
Have a question not answered here?
Get in touch