The OAIC has published a Data Breach Preparation and Response Guide: https://www.oaic.gov.au/assets/privacy/guidance-and-advice/data-breach-preparation-and-response.pdf.
Notifiable Data Breaches Scheme
A data breach happens when personal information is accessed or disclosed without authorisation or is lost. Medical practices are covered by the Privacy Act 1988 so you must notify both the affected individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach involving personal information is likely to result in serious harm.