Data breaches in hospitals and clinics: What patients are entitled to expect

When you visit a hospital, GP clinic, or specialist in Canberra, you expect them to protect your private medical information. Unfortunately,data breaches in healthcare are still common, and when this happens, it is not just an IT problem, it is a breach of the duty of care your healthcare provider owes you.

Maliganis Edwards Johnson helps ACT patients whose privacy has been violated by hospitals, clinics, and healthcare providers.

What counts as a healthcare data breach?

A data breach occurs when your medical information is accessed, used, disclosed, or compromised without authorisation. This includes staff accessing your records out of curiosity, information disclosed to family without consent, lost or stolen records, cyber attacks, inadequate security, improper disposal, and sending results to the wrong patient.

Medical privacy breaches cause emotional distress, damaged relationships when others learn about sensitive health conditions, discrimination from employers or insurers, identity theft, loss of trust in seeking care, and reputational harm. These impacts are often profound and long-lasting.

What can you do if your privacy is breached? 

• Document what happened and keep all evidence. 
• Request an explanation from the hospital or clinic. 
• Request your access logs showing who accessed your information. 
• Make a formal complaint to the healthcare provider, Health Services Commissioner (ACT), or the Office of the Australian Information Commissioner. 
• Seek legal advice.  Iff certain statutory requirements are met,you may be entitled to compensation.

Since 10 July 2025, Australia has a statutory tort for serious invasion of privacy. You can claim compensation for distress, harm to reputation, and other losses if the invasion was serious, your expectation of privacy was violated, the conduct was intentional or reckless, and no lawful justification existed.

You may also have a negligence claim if the provider failed to protect your information through adequate security, proper training, or established protocols.

Common breach scenarios

• Staff accessing celebrity or high-profile patient records without legitimate reason
• Sharing information with family without consent
• Discussing cases in public areas
• Sending records to wrong recipients
• Leaving files accessible in public areas, cyber attacks and ransomware
• Inadequate access controls.

You generally have one year from when you became aware of the breach, or three years from the date the breach occurred (whichever is earlier), to start legal action. Evidence can be lost quickly, so seek legal advice as soon as possible.

How MEJ can help 

We investigate what happened, pursue privacy and negligence claims, negotiate compensation, and hold healthcare providers accountable. 

If your medical privacy has been breached by a hospital, clinic, or healthcare provider, contact MEJ for a free, confidential consultation.