Confidentiality lies at the heart of the doctor–patient relationship. Even in well-managed practices, mistakes can occur. This case highlights how Medical Protection supports members when a breach of confidentiality arises from a clinical action and how this sits alongside a practice’s separate obligations under data protection law. 

Background 

Mr K, a 42-year-old IT consultant, had recently moved to a new town and registered with a local GP practice. He booked an appointment with Dr L, to review his diabetes management and ensure his medication records were accurate and complete. 

During the consultation, Mr K disclosed sensitive information about his mental health, including a recent breakdown. Dr L documented this carefully and planned a follow-up review. 

The incident 

Later that day, Dr L intended to send an educational leaflet and follow-up information to a patient he had seen earlier about diabetes management. While preparing the email, he inadvertently attached the wrong document, Mr K’s consultation notes from that morning, instead of the intended leaflet. The email was sent directly by Dr L from his clinical account. 

A few days later, the unintended recipient contacted the practice, concerned after receiving another patient’s medical information. The practice manager immediately investigated and confirmed that Mr K’s confidential clinical notes had been disclosed in error. 

Impact and response 

Mr K was informed promptly once the breach was confirmed. He was understandably distressed that his sensitive mental health information had been shared. He submitted a formal complaint to the practice, citing emotional distress and a loss of confidence in the healthcare system. 

Dr L and the practice manager met with Mr K to apologise sincerely and to explain the circumstances. Dr L accepted full responsibility for the error. 

Because the breach involved the disclosure of special category data, the practice, acting as the data controller, had a statutory obligation to assess and report the incident under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. The practice notified the Data Protection Commission (DPC) within 72 hours and initiated a review of its data-handling procedures. 

Mr K later submitted a complaint to the Irish Medical Council, alleging a professional breach of confidentiality by Dr L. Recognising the professional implications, Dr L contacted Medical Protection for medicolegal advice and support. 

Medical Protection assistance 

Medical Protection immediately supported Dr L in responding to the IMC complaint, providing medicolegal advice, assistance with drafting a professional response, and representation throughout the regulatory process. 

Because the breach had arisen directly from a clinical communication, Medical Protection was also able to advise Dr L on the data-protection implications that affected him personally, while distinguishing these from the practice’s wider administrative obligations. 

With Medical Protection’s guidance, Dr L prepared a reflective statement acknowledging the error, demonstrating insight, and outlining remedial steps taken within the practice. 

Dr L offered undertakings to the Preliminary Proceedings Committee (PPC) to complete additional confidentiality and GDPR-awareness training, and to ensure that relevant practice policies were regularly reviewed and monitored. The PPC accepted these undertakings and concluded that no further action was required. 

Data Protection Commission outcome 

Separately, the practice, as data controller, engaged directly with the DPC regarding its organisational responsibilities. The DPC required the practice to: 

• Strengthen systems for managing patient information and electronic correspondence 

• Provide regular staff training on GDPR compliance 

• Review and document data-handling policies on an annual basis 

A modest administrative fine was imposed on the practice. The practice accepted the findings and implemented all recommended measures. 

Medical Protection’s involvement in this aspect was limited to advising Dr L on his individual responsibilities and helping him understand how the DPC process intersected with his professional duties. Medical Protection does not cover or contribute to the administrative fine or compliance costs, as these fall outside its remit. 

Conclusion 

This case demonstrates how an accidental breach of confidentiality arising from a clinical act can trigger both professional and data-protection scrutiny. 

Through early engagement with Medical Protection and transparent cooperation with the DPC, Dr L and the practice managed the matter responsibly, balancing professional accountability with organisational compliance whilst maintaining patient trust in the process. 

For more information on how we support with breaches of confidentiality, please visit this webpage.