What Is a Medical Privacy Breach?

What is a privacy breach and what do I need to do when a breach has been identified?

A breach is a loss of, unauthorised access to, or disclosure of, personal information.  

For example, the reception area is an open space setting, that tend to be the hub of activity in clinics.  The area is typically a shared workspace that your nurses, doctors and administration personnel also need to access. The sharing of information between staff in this space exposes clinics to potential privacy. 

Areas of concern at the reception include some of the following: -

Phone calls (incoming and outgoing)
· Processes need to be in place to minimise the risk of identifiable personal information being overheard by patients, visitors and contractors, in and around the reception and common areas.

· Staff need to be aware of the risk and have the training and skills to mitigate a potential privacy breach.

Staff, visitors and patients
· Clinical team members need to hand over patient care in a private setting, ideally not at reception or common areas where other patients are sitting.

· Visitors and contractors should be following your Health & Safety guidelines and be mindful of the nature of your environment.

Email communications
· Guidelines need to be in place around sending/receiving patient information, e.g. verifying recipient email addresses, purpose for request etc. Staff Awareness should be raised to the existence of 'phishing' attcks, where attackers create a fictitious email address designed to resemble a legitimate one. When sending an email, the recipients address needs to be verified as correct and current to ensire confidential information is not accidentaly released. 

Incoming Faxes
· Is your fax machine only accessible by members of your staff? If not, what is in place to manage incoming faxes? (consider afterhours cleaners, unattended work areas etc)

· What is your process for handling incoming faxes to maintain patient privacy?

Consultation Notes
· Computers in consult/treatment rooms need be logged off by the provider when patients are left unattended.  Screen savers should be set to come on if the PC is not being used for a set time period. 

X-ray and laboratory reports
· Radiology and laboratory results coming into reception for review need to be kept in an area accessible by staff only and in one location for clinical staff to monitor and follow up as appropriate.

Privacy is challenging in a busy, front of house reception.  Your reception staff are key to ensuring privacy.  


If a breach occurs the following four steps are a guide to what action needs to be taken to identify and manage the person(s) personal information.

STEP 1 - Containment

Contain the breach

Appoint one person to oversee

Decide if a team is needed to investigate

If a Criminal activity is suspected, call the Police

Retain any relevant evidence

STEP 2 - Evaluation

Identify the information involved and the specific content details

Determine if the information needs to be secured or encrypted

Is the cause able to be identified

Systematic problem or an isolated incident

Evaluate the size of the breach 

Would the breach result in harm? (e.g. identify theft, financial loss, loss of dignity)

Who potentially has this information

STEP 3 - Notification

Identify any risk or harm to the people affected 

If law enforcement authorities are involved, check when to notify affected people

Directly notify individuals by phone, letter, email or in person

Consider any third-party contractors or parties that should be informed.

Any serious breach must be reported to the Privacy Commissioner 

STEP 4 - Protection

Audit both physical and technical security

Review policies and procedures

Review staff training

Review any service partners caught up in the breach.

Contact: -  Office of the Privacy Commissioner 09 3028680

Click here for more information.

In my role, I am available to assist in reviewing your reception procedures and making recommendations to ensure your key staff have the necessary skills to achieve optimum patient privacy.

Book online using the following link if you would like to discuss further, I welcome any queries and look forward to speaking with you.

To book a meeting with Debbie

Connect with me on LinkedIn

Check out our medical services

Debbie Cripps

"Think I.T. have looked after our computing needs since the year 2000. Solutions have been recommended and implemented to match our changing needs. We are supported with efficiency and a high level of expertise, allowing us to focus on our business backed up by solid and reliable technology."

Ben Seymour
Allpress Espresso
30-50 users, Think I.T. client since 2000


Are your employees up to date on their security awareness?

Cyberwarfare is a part of a new reality as evidenced by the distributed denial-of-service (DDoS) attacks targeting the websites of the Ukrainian defence ministry, army, and two of the country’s largest banks several days before the Russian invasion. These were the most significant attacks of this kind the country has ever faced, according to government officials. The U.S....  more...