Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

opc header logo

Print | Email this page

Information for all primary care providers affected by Manage My Health data breach

A doctor speaks to an unseen patient. Advisory notice from the Privacy Commissioner to all primary care providers affected by the Manage My Health data breach. 

Notifiable privacy breach requirements.

Download a copy of this information on letterhead (opens to PDF, 123KB).

Summary

This notice is to advise that the Privacy Act’s requirement to notify the Privacy Commissioner about the Manage My Health cyber breach under section 114 is satisfied through information being provided directly by Manage My Health. 

On this basis, primary care providers do not need to formally notify OPC about the breach. More information is provided in this notice.

Purpose

The purpose of this Notice is to provide primary care providers whose patients have been impacted by the Manage My Health cyber incident with clarity about their data breach notification requirements under section 114 of the Privacy Act.  

The Privacy Commissioner’s aim is to provide an efficient means of satisfying the requirements of the Privacy Act so that primary care providers can focus their attention on supporting their affected patients as these individuals are progressively informed of the breach under section 115 of the Privacy Act.

Privacy Act - section 114 reporting requirements 

Under the Privacy Act, primary care providers using third party platforms are generally responsible for reporting serious privacy breaches to OPC. Read more information about which agency reports a privacy breach

Manage My Health Data Breach: Coordinated Primary Care Reporting Process

The Office of the Privacy Commissioner was notified of by Manage My Health of a cyber incident causing or likely to cause serious harm affecting its patient portal platform on 1 January 2026.  

Manage My Health provides patient portal services to the patients (registered users) of health providers under a third-party contract. Individuals can also register for services directly.

We understand that Manage My Health has now contacted client primary care providers whose patient data has been impacted by the breach of their platform.  

The Office of the Privacy Commissioner has arranged with Manage My Health to obtain a list of all affected primary care providers along with their contact details and the numbers of affected patients. This is sufficient information to satisfy the notification requirement.  Primary Care Providers are not required to individually notify the Office of the Privacy Commissioner.  

Once contact details are received from Manage My Health, impacted primary care providers will receive an acknowledgement from the Office of the Commissioner and will be contacted directly as further information is required. Primary care providers who have already notified OPC will also receive an acknowledgement.

Note that providers may receive patient information requests and privacy complaints from affected individuals about the cyber breach. Practices should therefore take steps to manage increased volumes of privacy requests and complaints that may result from this situation.

Back to top