Practice under scrutiny for referrals faxing error

6 minute read

Private documents accidentally sent to the wrong person highlights how critical secure messaging delivery systems are in practice.

A case where human error caused private documents to be sent to the wrong person is a reminder to only communicate via secure messaging delivery systems. 

A case where multiple medical records were faxed to a wrong number, reminds both doctors and practices to move away from less secure methods such as fax, when sending patient information.

A medical practice had intended for patient referrals to be faxed to a psychologist. Unfortunately, the wrong number was entered into the practice’s referral details address book, which belonged to a member of the public who continued to receive the referrals for the next two years.

Faxing error goes unnoticed

The man who received the faxes did not contact the practice as he did not want to alarm the patients but, as the faxes continued to arrive, he decided to contact a newspaper with his story.

He estimated he had received the documents of approximately 10 patients over two years, most of which he disposed of straight away. These included detailed medical histories and mental health plans for patients diagnosed with severe anxiety, depression and sleep disorders. The documents also contained personal information including names, birth dates, Medicare numbers and addresses.

The practice discovered the data breach had been caused by human error. This involved mixing up the digits of the fax number when the psychologist’s contact details were put into the practice’s referral details address book.

The error went unnoticed as the GP gave a hard copy of each referral to the patient to take to the psychologist. Therefore, the psychologist didn’t realise they were missing the faxes.

Avant support for the practice

Avant Law assisted the practice by assessing the data breach, notifying the Office of the Australian Information Commissioner (OAIC), and in taking remedial action. Our team also reviewed the practice’s privacy and information security policies and liaised with the privacy regulator on the practice’s obligations under the Privacy Act. With this support, the practice was able to satisfy the OAIC that this was a singular event, and their remedial action meant no further action needed to be taken by the regulator. As such, the practice avoided any fines or sanctions in respect of the data breach.

As part of the remediation and review of the data breach, Avant’s risk advisers also reviewed the practice’s existing data protection and privacy protocols and provided targeted risk education for all the staff on privacy and information security.

If you or your practice experience a data breach, it’s important to notify Avant immediately*.

From the time the data breach is identified, the person or practice has 30 days to assess the breach and make a notification, if required, to the OAIC. Subject to the terms and conditions of your policy, Avant can assist you to assess whether the data breach must be notified to the OAIC. This applies to breaches that are likely to result in serious harm to individuals and remedial action is not considered to prevent the likelihood of harm.

Secure email for sending patient information

According to an OAIC report released last year, human error is second only to criminal attacks as the main reason for data breaches. Information being sent to the wrong recipient (by email, post, or other means) due to human error is the primary cause of data breaches.

The RACGP supports phasing out faxed communication, calling it ‘dated technology.’  The RACGP’s recent position statement: ‘Safe and effective transfer of information to and from general practice’ advocates for the use of secure messaging systems because they are the safest, most secure and most efficient communication method.

“Every effort should be made to secure it as much as possible, through the use of password protection, encryption software, or via a secure website with passwords requiring multi-factor authentication,” the guidelines state.

Practices should use a secure messaging delivery system to send patient information. The benefits of sending sensitive information via secure messaging and encrypted email are that they are more secure than fax. Furthermore, if there is a typo in the email address, it’s more likely the email would ‘return to sender,’ rather than being sent to a random recipient and the content would not be accessible.

Key lessons

  • Transmission protocols required to send faxes are very outdated. If you are communicating patient information, it should be sent via email using password protection, encryption software or via a secure website.
  • When updating contact information always verify the contact number or email address, to avoid information ending up in the wrong hands.
  • Do not use auto populated options for email addresses.
  • If you or your practice experience a data breach, ensure that you conduct a timely and thorough assessment of the breach.
  • Consider drafting a data breach response plan, which should include a communications plan that covers how to deal with media inquiries. Privacy breaches can attract media interest and a timely response may help maintain your reputation and minimise the impact for any affected patients.
  • It’s important to notify Avant immediately so an assessment can be performed and the OAIC notified, if necessary, within the 30-day period.

Useful resources

More information

Discover our comprehensive suite of tailored products and services that all work together to make running a practice easier, safer and more efficient.

Find out more at

Author: Peter Harris, BSc, LLB, LLM (Hons), Associate, Avant Law


Persons implementing any recommendations contained in this publication must exercise their own independent skill or judgment or seek appropriate professional advice relevant to their own particular practice. Compliance with any recommendations will not in any way guarantee discharge of the duty of care owed to patients and others coming into contact with the health professional or practice. Avant are not responsible to you or anyone else for any loss suffered in connection with the use of this information. Information is only current at the date initially published (February 2022). © Avant Mutual Group Limited 2022.

The Practice Medical Indemnity Policy is issued by Avant Insurance Limited, ABN 82 003 707 471, AFSL 238 765. This policy wording is available at or by contacting us on 1800 128 268. Practices may need to consider other forms of insurance including directors’ and officers’ liability, public and products liability, property and business interruption insurance, and workers compensation.

End of content

No more pages to load

Log In Register ×