"Notifiable" breaches?
So, I looked at the links - and it's not clear that a ransomware attack should even be notifiable. Ransomware scum don't commonly, so far as I know, steal records - they just make them unusable.
Take a bow, Australians: we may have had 242 breaches sent to the information commissioner this quarter, but almost nobody fell victim to ransomware attacks. Of all the data breaches reported to the Office of the Australian Information Commissioner (OAIC) between April and June this year, only two were ransomware attacks. …
It's not just about stealing data, it's if the breach results in DATA LOSS of person identifiable information etc. Most ransomware attacks wouldn't be reported though as the company can fall back on backups and re-key any data, this is what happens in most healthcare attacks as data is typically held on systems which are unaffected and anything lost that day is usually re-keyed.
Additionally there's a stigma now with reporting ransomware, so private companies are increasingly terrified of reporting themselves for fear of the media annihilating them.