# Privacy Act Penalties for Medical Practices: What You Actually Risk
Most practice managers know, vaguely, that there are penalties for privacy breaches. Few know the actual numbers. Fewer still understand how the 2022 amendments changed the calculus from "manageable risk" to "existential threat."
Let me lay out what you're actually exposed to.
The Old Regime (Pre-December 2022)
Before the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 took effect, the maximum civil penalty for a serious or repeated interference with privacy was:
- **Individuals:** 2,000 penalty units
- **Bodies corporate:** 10,000 penalty units
At the penalty unit values that applied, this translated to roughly $2.2 million for bodies corporate (the exact figure depended on the penalty unit value at the time). That's not nothing, but for larger organisations it was a rounding error. The economic incentive to invest heavily in data protection was, frankly, weak.
The OAIC also had limited enforcement tools. It could investigate, make determinations, and seek enforceable undertakings, but the path to meaningful financial penalties was narrow and slow.
The New Regime (Post-December 2022)
The 2022 amendments, passed in the wake of the Optus and Medibank data breaches, fundamentally restructured the penalty framework.
For a serious or repeated interference with the privacy of an individual, the maximum civil penalty is now the greatest of:
1. $50 million
2. Three times the value of any benefit obtained directly or indirectly from the conduct
3. 30% of the entity's adjusted turnover in the relevant period (if the court cannot determine the benefit)
For individuals (including sole practitioners), the maximum penalty is $2.5 million.
These numbers were not chosen at random. They were explicitly modelled on the penalty regime in the Competition and Consumer Act 2010 and designed to ensure that no organisation could treat a privacy breach as an acceptable cost of doing business.
What Counts as a "Serious" Interference?
The Privacy Act doesn't exhaustively define "serious," but the OAIC and courts consider factors including:
- **The sensitivity of the information.** Health information is classified as sensitive information under the Act. Breaches involving health data are inherently treated as more serious than breaches involving, say, a mailing list.
- **The number of individuals affected.** A single misdirected referral letter is treated differently from a systemic failure affecting thousands of patients.
- **Whether the entity took reasonable precautions.** If you had no encryption, no access controls, no training, and no breach response plan, the interference is more likely to be characterised as serious.
- **Whether the interference was repeated.** A pattern of non-compliance -- even involving minor incidents -- can aggregate into "repeated" interference.
For medical practices, the sensitivity factor is permanently elevated. Every record you handle contains sensitive information by default. You don't get the benefit of the doubt that a retailer might.
What About "Repeated"?
This is the one that should concern smaller practices. A single accidental email to the wrong recipient is unlikely to trigger maximum penalties. But a pattern of insecure practices -- staff routinely emailing unencrypted records, no encryption policy in place, no staff training, no incident log -- can establish "repeated" interference even if no single incident is catastrophic.
The OAIC can look at systemic failures, not just individual incidents. If your practice has no documented security measures for data in transit, every unencrypted email is a data point in a pattern.
OAIC Enforcement Posture
The OAIC has historically been under-resourced relative to its mandate. Enforcement actions have been selective, focusing on large-scale breaches and systemic failures rather than individual incidents at small practices.
However, the trend line is clear:
The Medibank proceedings. In 2023, the OAIC commenced Federal Court proceedings against Medibank Private Limited, alleging serious and repeated interferences with privacy in connection with the 2022 data breach that affected approximately 9.7 million individuals. This was the first major test of the enhanced penalty regime.
Increased funding. The government has progressively increased the OAIC's budget, and the agency has signalled that it intends to take a more active enforcement posture. The 2022 amendments also gave the OAIC expanded powers, including infringement notices for specific breaches.
The Notifiable Data Breaches scheme. Since February 2018, organisations subject to the Privacy Act must notify the OAIC and affected individuals of eligible data breaches -- those likely to result in serious harm. The OAIC publishes statistics on these notifications. In the January-June 2023 reporting period, health service providers were consistently the sector reporting the highest number of data breaches. This visibility means the OAIC knows exactly where the problems are concentrated.
General enforcement trend. Even before the Medibank proceedings, the OAIC had pursued determinations and enforceable undertakings against health entities. The enhanced penalties give these actions substantially more weight. An enforceable undertaking that previously had modest penalties for non-compliance now sits in the shadow of a $50 million maximum.
The Small Practice Calculation
Here's where this gets concrete for a typical medical practice.
Most small-to-medium practices are bodies corporate (Pty Ltd). Even as a small company, you're subject to the body corporate penalty tier. The $50 million maximum is obviously disproportionate to a practice with $2 million in revenue -- no court would impose it. But the "30% of adjusted turnover" measure means a penalty of $600,000 is within the realm of possibility for a serious or repeated breach. That's not academic. That's insolvency.
For sole practitioners operating as individuals, the $2.5 million maximum applies. Again, a court would calibrate the actual penalty to the circumstances, but even a fraction of that figure is devastating for an individual practitioner.
And these are just OAIC penalties. A privacy breach can also trigger:
- **Complaints to the OAIC** from affected patients, each requiring investigation and response.
- **Civil litigation** from affected individuals seeking compensation for loss or damage.
- **Reputational damage** that affects patient retention and referral relationships.
- **Professional conduct proceedings** if the breach reflects on the practitioner's fitness to practice.
- **Mandatory notification obligations** that consume staff time and create ongoing compliance costs.
The Cost-Benefit Is Not Close
Here's the thing about risk management in this space: the cost of prevention is trivially small relative to the cost of a breach.
Implementing proper encryption for patient record transfers costs somewhere between $0 and a few hundred dollars per month, depending on the approach. Staff training on secure data handling is a one-time investment measured in hours. A documented privacy policy and breach response plan is a weekend's work.
Compare that to:
- Penalty exposure up to 30% of turnover
- Legal costs for defending an OAIC investigation (easily tens of thousands to six figures)
- Mandatory breach notification costs
- Reputational damage that compounds over years
- Personal liability for practice principals
The arithmetic is straightforward. Every month that a practice operates without adequate security measures for patient data in transit, it's making an implied bet that nothing will go wrong. That bet has asymmetric downside -- the cost of losing is orders of magnitude larger than the cost of protection.
This isn't a pitch for any specific tool. It's basic risk management. The Privacy Act's penalty regime was specifically designed to make non-compliance economically irrational. The fact that enforcement is still ramping up doesn't change the exposure -- it just means the window to fix things before a regulator forces you to is closing.
What "Reasonable Steps" Looks Like in Practice
If you want to be on the right side of APP 11, document these:
1. Encryption in transit. Patient records should not be sent via unencrypted email. Use a tool that provides end-to-end encryption.
2. Access controls. Limit who can access and transmit patient records to staff who need to.
3. Staff training. Annual training on data handling obligations. Document it.
4. Breach response plan. Know what you'll do if something goes wrong. The OAIC expects this to exist before you need it.
5. Audit trail. Know what was sent, to whom, and when. If you can't answer these questions, your security posture has a gap.
None of this is complicated. None of it is expensive. The only thing standing between most practices and compliance is inertia.
---
ObsidianVault provides end-to-end encrypted file transfer with built-in audit trails, starting at $9/month. Cheaper than a single hour of a privacy lawyer's time. Start at obsidianvault.vip