The Health Department breached the Privacy Act when it released data about one in 10 Australians and didn't adequately protect their identities.

In August 2016 the department published data on a government website regarding a 10 per cent sample of people who had made a claim for payment of Medicare benefits since 1984.

It thought it had protected identities in the records, but a month later researchers at the University of Melbourne uncovered a weakness in the encryption method, allowing the potential for Medicare service providers to be identified.

They found there was a risk that some individuals could be identified by linking the dataset with other sources of information.

Following an investigation, the Australian Information Commissioner Timothy Pilgrim found the department breached the Privacy Act, but said it was unintentional.

"There were flaws in the process followed by the department in de-identifying the dataset, assessing the risk of re-identification and deciding to publish it," his report released on Thursday said.

"The commissioner accepts that decryption of Medicare service provider numbers per se does not mean that a provider is identified, however, the result of the decryption meant that there was potential to re-identify providers."

The commissioner accepted an enforceable undertaking from the department, acknowledging how cooperative the department had been with the investigation and the steps it has taken to minimise the privacy impact of the incident once it was notified.