Nurse’s privacy breach raises significant implications for practice

Sonya Black, LLB (Hons), B.Com, Legal Team Manager – Workplace Law Team, Avant Law, QLD

Sunday, 2 February 2025

Nurse’s privacy breach raises significant implications for practice

Receiving a complaint about a data breach can understandably send any practice owner or practice manager into a panic. However, knowing your obligations if a breach occurs can help you respond promptly and effectively.

In this case, a practice* received a complaint about a practice nurse who accessed a colleague’s medical record without a clinical need to do so. News of the breach circulated within the practice, leading other staff to voice their concerns about the confidentiality of their own records.

The incident raised several issues for the practice including the nurse’s employment, legal obligations to notify government agencies about the breach, practice protocols and potential reputational damage. We helped guide the practice through managing the breach and discussed strategies to help prevent future data breaches.

Suspension during investigation  

Avant advised the practice to suspend the nurse on full pay while it investigated her access to the medical records of practice employees and her family members.

The practice’s investigation revealed the nurse had accessed the medical records of several colleagues and family members.

Disciplinary action against nurse

Given the findings of the investigation, Avant recommended that the practice seek the nurse’s response to the allegations about her conduct. Avant assisted the practice by drafting a letter to the nurse outlining the allegations and provided a script for the practice to use during its meeting with the nurse.

During the meeting the nurse admitted she had accessed the medical records and was aware of the practice policy which stipulated she should only access a patient’s medical record if she had a clinical reason to do so.

Avant advised the practice that, in the circumstances, it was appropriate to dismiss the nurse because:

  • The nurse admitted to inappropriately accessing the medical records of several patients.
  • The nurse admitted she was familiar with the practice policy concerning access to medical records and she acknowledged her actions breached the policy.
  • The practice had followed an appropriate process after the complaint, which included giving the nurse an opportunity to respond to the allegations.
  • There was a significant risk to the practice’s reputation arising from this conduct, particularly given the practice was obligated to notify all impacted patients of the breach.

Data breach reporting

Under the Notifiable Data Breaches scheme, the practice had to assess whether it was required to notify affected patients and the Office of the Australian Information Commissioner (OAIC) of the breach. A practice must notify affected individuals and the OAIC if:

  • the breach could lead to serious harm to an individual whose personal information is involved, and
  • the practice is unable to undertake remedial action to prevent the likelihood of serious harm.

The test for ‘serious harm’ requires more than distress or upset. It can include physical, psychological, emotional, financial or reputational harm. Our flow-chart can help you to decide whether a breach needs to be reported.

In this case, the practice notified the breach to the OAIC and each person whose medical record had been accessed. The practice let them know that an investigation had been conducted, and steps had been taken to minimise the risk of any further breach of their privacy (such as training and education for other staff).

Mandatory notification to the Nursing and Midwifery Board

Under the National Law, a practice must make a mandatory notification to the Nursing and Midwifery Board if the practice forms a ‘reasonable belief’ that a nurse is engaging in ‘notifiable conduct’ which is defined as:

  • practising while intoxicated
  • placing the public at risk of serious harm because they are practising with an impairment
  • sexual misconduct in connection with their medical practice
  • placing the public at risk of harm due to practising in a way that is a significant departure from professional standards.

In this case, the practice decided it was appropriate to notify the Nursing and Midwifery Board about the nurse’s conduct. For more information on mandatory notifications about health practitioners, read our Mandatory reporting factsheet.

Review of practice protocols 

A risk adviser from Avant’s Risk Advisory Services team discussed access to medical records with the practice. The risk adviser reviewed the practice’s policies and procedures with the aim of minimising the risk of any data breaches occurring in the future. This included recommending that privacy training be completed by all staff and the training be documented. The practice also conducted a review of its policies about staff member access to patient records and placed further limits on access to only occur when necessary.

The practice was also reminded that it should avoid treating practice staff and their families as far as possible, except in emergencies, in line with the Medical Board of Australia’s Code of Conduct. For more information, read about why treating staff members can be problematic. 

Avoiding reputational damage

If an incident like this becomes widely known, it can result in mistrust in your entire service. Patients and staff may leave the practice or seek assurance that their personal information is confidential and secure.

Fortunately, the practice in this case was not exposed to online comments or media interest. The patients contacted by the practice appreciated the practice’s open disclosure and the assurances given that steps had been taken to minimise the risk of any future breach.

Useful resources

Article: Proposed new statutory changes to the Privacy Act 

Avant factsheet: Responding to a data breach

Avant can support your practice^ with our practice management tools, insurance, business consultancy services and finance options, which can help provide protection, drive efficiency and enable growth for practices of all sizes.

Career stage
Topic

Other resources

  1. 6 practical tips for hiring staff at your accredited general practice - Avant

    6 practical tips for hiring staff at your accredited general practice

  2. AI scribes in practice: common errors to consider - Avant

    AI scribes in practice: common errors to consider

  3. Being aware of cyber security - Avant

    Being aware of cyber security

More ways we can help you

Indemnity insurance
Health insurance
Practice solutions
Finance
Legal services
Life & income protection

Disclaimers

*The case discussed in this article is based on a real case. Certain information has been de-identified to preserve privacy and confidentiality.

Liability limited by a scheme approved under Professional Standards Legislation. Legal practitioners employed by Avant Law Pty Limited are members of the scheme.

^Persons implementing any recommendations contained in this publication must exercise their own independent skill or judgment or seek appropriate professional advice relevant to their own particular practice. Compliance with any recommendations will not in any way guarantee discharge of the duty of care owed to patients and others coming into contact with the health professional or practice. Avant and Avant Practice Solutions are not responsible to you or anyone else for any loss suffered in connection with the use of this information. Information is only current at the date initially published.

IMPORTANT: This publication is not comprehensive and does not constitute legal or medical advice. You should seek legal or other professional advice before relying on any content, and practise proper clinical decision making with regard to the individual circumstances. Persons implementing any recommendations contained in this publication must exercise their own independent skill or judgement or seek appropriate professional advice relevant to their own particular practice. Compliance with any recommendations will not in any way guarantee discharge of the duty of care owed to patients and others coming into contact with the health professional or practice. Avant is not responsible to you or anyone else for any loss suffered in connection with the use of this information. Information is only current at the date initially published.

To Top

NSW State Office AddressLevel 6, Darling Park 3, 201 Sussex Street, Sydney NSW 2000
Telephone 02 9260 9000 | Facsimile 02 9261 2921

Mailing addressPO Box 746 Queen Victoria Building NSW 1230

Connect with Avant

facebookxlinkedininstagramyoutube

In the spirit of reconciliation, Avant acknowledges the Traditional Custodians of Country throughout Australia, and their connections to land, sea and community. As a national organisation, we pay our respects to Elders past and present, of the lands on which we gather and work, and extend that respect to all Aboriginal and Torres Strait Islander peoples.

IMPORTANT: Professional indemnity insurance and the Practice Medical Indemnity Policy available from Avant Mutual Group Limited ABN 58 123 154 898 (Avant Mutual) are issued by Avant Insurance Limited, ABN 82 003 707 471, AFSL 238 765 (Avant). Avant Cyber Insurance cover is available to eligible Avant Practice Medical Indemnity Policy holders up to the cessation of their policy and is provided under a Group Policy between Liberty Mutual Insurance Company ABN 61 086 083 605 (Liberty) and Avant. Private health insurance products are issued by The Doctors’ Health Fund Pty Limited, ABN 68 001 417 527, a member of the Avant Mutual Group. Avant arranges Avant Business Insurance as agent of the insurer Allianz Australia Insurance Limited ABN 15 000 122 850, AFSL 234 708 (Allianz) and may receive a commission on each policy arranged. Avant Travel Cover is available under a Group Policy between QBE Insurance (Australia) Limited, ABN 78 003 191 035, AFSL 239 545 (QBE) and Avant Mutual. Avant Travel Cover is underwritten by QBE and Avant may receive a benefit for arranging cover. Avant Finance is a registered business name of Avant Doctors’ Finance Pty Ltd (ACN 637 769 361) and licensed to Avant Doctors’ Finance Brokers Pty Ltd (ABN 75 640 406 784). Avant Doctors’ Finance Brokers Pty Ltd is a wholly owned subsidiary of Avant Doctors’ Finance Pty Ltd. Loan products may be provided by Avant Doctors’ Finance Pty Ltd or arranged by Avant Doctors’ Finance Brokers Pty Ltd. Credit services or assistance to which the National Credit Code applies are provided by Avant Doctors’ Finance Brokers Pty Ltd as authorised Credit Representative (Credit Representative Number 523242) for LMG Broker Services Pty Ltd ACN 632 405 504 Australian Credit Licence 517192. Legal services are provided by Avant Law Pty Ltd ABN 63 136 429 153 (Avant Law). Liability limited by a scheme approved under Professional Standards Legislation. Legal practitioners employed by Avant Law are members of the scheme.


The information provided on this website is general advice only and has been prepared without taking into account your objectives, financial situation and needs. You should consider these, having regard to the appropriateness of the advice before deciding to purchase or continue to hold these products. For full details including the terms, conditions, and exclusions that apply, please read and consider the relevant Product Disclosure Statement or policy wording and Target Market Determination (TMD) which are available on this website or by contacting us on 1800 128 268. Information on this site does not constitute legal or professional advice, and is current as at the date of initial publication.