Phoenix HealthPhoenix Health
Phoenix Health CoPhoenix Health Co

Data Breach Response Plan

Last updated: 6 February 2026

1. Purpose

This Data Breach Response Plan outlines how Phoenix Health Pty Ltd ("Phoenix Health") will respond to data breaches involving personal and health information, in compliance with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth) and the Health Records Act 2001 (Vic).

As a health service provider handling sensitive health information, Phoenix Health has heightened obligations to protect this information and respond promptly to any breach.

2. What is a Data Breach?

A data breach occurs when personal information held by Phoenix Health is:

  • Accessed without authorisation (e.g. a cyber attack, unauthorised staff access)
  • Disclosed without authorisation (e.g. information sent to the wrong recipient)
  • Lost in circumstances where unauthorised access is likely (e.g. lost device containing unencrypted data)

3. Eligible Data Breaches

Under the NDB scheme, a data breach is an "eligible data breach" if:

  • There is unauthorised access to, or unauthorised disclosure of, personal information held by Phoenix Health, or information is lost in circumstances where such access or disclosure is likely to occur; AND
  • A reasonable person would conclude that the breach is likely to result in serious harm to any of the individuals whose information is involved.

Given that Phoenix Health handles sensitive health information, the threshold for "serious harm" is more likely to be met. Health information breaches are presumed to carry a higher risk of serious harm.

4. Our Response Process

Step 1: Contain

Take immediate steps to contain the breach and limit any further access, disclosure, or loss of information. This may include disabling compromised accounts, changing passwords, isolating affected systems, and retrieving information where possible.

Step 2: Assess

Within 72 hours of becoming aware of the breach, conduct a reasonable and expeditious assessment to determine:

  • The type of information involved (personal, health, government identifiers)
  • The number of individuals affected
  • The circumstances of the breach (accidental vs. malicious)
  • Whether the breach is likely to result in serious harm
  • Whether remedial action has been taken to reduce harm

Step 3: Notify

If the assessment concludes that the breach is an eligible data breach, we will notify:

  • The Office of the Australian Information Commissioner (OAIC) — by submitting a Notifiable Data Breach statement via the OAIC online portal as soon as practicable.
  • Affected individuals — by direct notification (email or phone) where practicable, or by public notification if direct notification is not practicable. The notification will include:
    • A description of the breach
    • The kinds of information involved
    • Recommended steps individuals should take in response
    • Contact details for our Privacy Officer
    • Contact details for the OAIC
  • Health Complaints Commissioner Victoria (HCC) — if the breach involves Victorian health information subject to the Health Records Act 2001.

Step 4: Review & Prevent

After the immediate response, we will:

  • Conduct a thorough investigation to identify the root cause
  • Implement measures to prevent recurrence
  • Update security procedures and staff training as needed
  • Document the breach and our response in our internal breach register
  • Review and update this plan if necessary

5. Responsibilities

  • Privacy Officer: Leads the breach response, coordinates notifications, and liaises with the OAIC and HCC. Contact: privacy@phoenixhealth.com.au
  • Technical Team: Responsible for containment, investigation, and implementing technical remediation measures.
  • All Staff: Must report any suspected breach to the Privacy Officer immediately upon discovery. Staff are trained to recognise potential breaches.
  • Senior Management: Oversees the response, approves notifications, and ensures adequate resources are allocated to the response.

6. Security Measures

Phoenix Health maintains the following measures to prevent data breaches and minimise their impact:

  • Encryption at rest (AES-256) and in transit (TLS 1.3)
  • Role-based access controls with principle of least privilege
  • Two-factor authentication for client accounts
  • Google Workspace SSO with domain restrictions for staff
  • Comprehensive audit logging of all data access (with PHI/PII flags)
  • Regular access reviews and security audits
  • Staff training on data protection and breach identification
  • SOC 2 compliant hosting infrastructure

7. Reporting a Suspected Breach

If you believe your personal or health information held by Phoenix Health may have been compromised, please contact our Privacy Officer immediately:

  • Email: privacy@phoenixhealth.com.au
  • Phone: 1300 PHOENIX (1300 743 649)

8. Regulatory Contacts

Office of the Australian Information Commissioner (OAIC)

Phone: 1300 363 992

Web: www.oaic.gov.au

Health Complaints Commissioner Victoria (HCC)

Phone: 1300 582 113

Web: hcc.vic.gov.au

This Data Breach Response Plan is reviewed annually and updated as necessary. It is maintained in accordance with the Notifiable Data Breaches scheme (Part IIIC, Privacy Act 1988) and the Health Records Act 2001 (Vic).