What Australian Gym Owners Must Do When They Get Hacked

Graham Slater • June 22, 2026

The 30-Day Clock Starts the Moment You Suspect

You arrive at your gym on a Tuesday morning. A staff member mentions that the booking system behaved strangely over the weekend — slow to load, some records looked different. IT contacts from your software provider confirm that there was an "unusual access event." Your stomach drops.

What happens next is not just a technical problem. It is a legal obligation with a ticking clock. Under Australia's Notifiable Data Breaches (NDB) scheme, you have a maximum of 30 days from the moment you become aware of a potential breach to assess whether it is likely to result in serious harm to any affected individuals. If it is, you must notify both the OAIC and every affected member as soon as practicable.

The clock does not start when you confirm the breach. It starts when you have reasonable grounds to suspect one. For gym owners who are not IT experts, this distinction is crucial — and it is where many businesses make the costly mistake of waiting too long, hoping the issue will resolve itself or turn out to be nothing. That approach can transform a manageable compliance situation into a criminal cover-up in the eyes of the regulator.

What the NDB Scheme Requires

The Notifiable Data Breaches scheme was introduced in 2018 and applies to all businesses covered by the Privacy Act — which, as we have established elsewhere, includes gyms and fitness businesses classified as health service providers. The scheme requires a specific, structured response to eligible data breaches.

An eligible data breach occurs when three conditions are met: personal information is accessed, disclosed, or lost without authorisation; the relevant entity was unable to prevent the risk of serious harm through remedial action; and the access, disclosure, or loss is likely to result in serious harm to any of the affected individuals.

What constitutes serious harm? Under the Privacy Act, the OAIC considers factors including the sensitivity of the information (health information always raises this threshold), the number of individuals affected, whether the information is in combination with other data that makes it more useful to a malicious actor, and whether the people who accessed the information are likely to use it harmfully.

Step One: Contain and Assess (0 to 30 Days)

Your immediate job when a potential breach is identified is to contain the damage and assess whether it meets the NDB threshold. Containment means cutting off the attacker's access: resetting compromised passwords, revoking suspicious sessions, disconnecting affected systems from the network if necessary, and preserving evidence for investigation.

Assessment means genuinely trying to determine what data was accessed, by whom, and whether serious harm is a realistic possibility. For a gym, this typically involves reviewing logs from your management software, checking whether health records, payment details, or sensitive personal information were in the affected system, and consulting with an IT security specialist if your own capabilities are limited.

This is where cyber insurance becomes immediately valuable. A good cyber policy provides immediate access to a forensic IT response team — the "digital detectives" who can establish exactly what happened and help you satisfy your assessment obligations within the 30-day window.

Step Two: Notification — Who You Tell and How

If the assessment concludes that an eligible data breach has occurred, notification is required on two fronts simultaneously: to the OAIC, via the online form on their website; and directly to each individual whose information was involved in the breach.

The statement to the OAIC must include: the identity and contact details of the organisation; a description of the breach; the kinds of information involved; what steps have been taken in response; and what affected individuals should do to protect themselves.

Notification to affected members must include the same core information, delivered directly to each person whose data was involved. For a gym with several hundred members in a breach affecting the whole database, this means preparing individualised or batch notifications, reviewing them for legal accuracy, and distributing them promptly. If you have members whose contact details were included in the breach, and therefore cannot be notified directly, you are required to publish a prominent notice on your website or take other reasonable steps to bring the breach to their attention.

What Happens If You Cover It Up

The temptation to "wait and see" or simply not report a breach is understandable. Nobody wants the reputational damage of telling their members that their data may have been exposed. But the consequences of non-reporting are far more severe than the consequences of transparent and prompt notification.

The OAIC treats failure to comply with NDB obligations as among the most serious privacy violations. If a member discovers their data on a dark web marketplace and reports it to the OAIC, and the investigation reveals that the gym owner was aware of the breach and did not report, the regulator treats this as deliberate concealment. The full Federal Court civil penalty powers are deployed, and the fact of concealment is treated as an aggravating factor that pushes penalties toward the maximum end of the range.

Australian Clinical Labs was fined $5.8 million, in part, for the inadequacy of their breach notification process. That fine was for a health data business. A gym is in the same regulatory category.

Why You Need Cyber Insurance Before You Need the NDB Scheme

By the time you are dealing with an active breach notification, it is too late to arrange cyber insurance. The value of the cover is in being able to activate the response resources immediately — the forensic investigators, the legal advisors, the notification drafting support — within the critical 30-day assessment window.

A standalone cyber insurance policy from a specialist insurer provides not just the financial coverage for these costs, but direct access to a 24/7 incident response service. When a breach happens at 2am on a Tuesday, you need to be able to pick up the phone to someone who knows exactly what to do. That service is built into a properly structured cyber policy.

The Notification Cost Nobody Budgets For

One aspect of NDB compliance that surprises many business owners is the sheer logistical cost of notification. If you have 800 affected members, you need to:

•Draft a notification letter that accurately and legally describes the breach, the data involved, the risks, and the remediation steps — this requires legal review.

•Verify and update contact details for all affected members.

•Send notifications via a method that creates a record of delivery.

•Set up a dedicated response channel for member enquiries about the breach.

•Handle the volume of incoming calls, emails, and potentially media enquiries that follow public disclosure.

For a small fitness business without dedicated legal or communications staff, this is an overwhelming operational challenge on top of the already-serious technical remediation work. Cyber insurance covers these costs. A business without cover faces them alone, on credit.

Protecting your gym from the full cost of a data breach — including the NDB response — is exactly what we do. Contact us to find out what a comprehensive cyber policy looks like for your business.

By Graham Slater July 2, 2026
The Operational Foundation That Makes Your Insurance Work
The OAIC can fine your martial arts club $66,000 without a hack ever occurring. Learn how 2026 enfor
By Graham Slater July 1, 2026
The OAIC can fine your martial arts club $66,000 without a hack ever occurring. Learn how 2026 enforcement works and how to protect your business.
Most Australian gyms and martial arts clubs are classified as health service providers under the Pri
By Graham Slater June 29, 2026
Most Australian gyms and martial arts clubs are classified as health service providers under the Privacy Act. Understand what this means for your data obligations and insurance needs.