Membership information 1800 444 542
Dentolegal advice 1800 444 542

Data breaches: avoiding the screen of death

03 December 2020


The digital age has heightened the risks around the safe storage and protection of sensitive data – and dentistry is no different. Dr Simon Parsons, Dentolegal Consultant at Dental Protection, explores the key issues and provides helpful guidance.

Calls to Dental Protection for advice regarding practice data corruption or loss are occurring with increased frequency. These have varied in severity. Some have indicated that despite the best efforts of IT experts, all clinical records, including treatment notes, chartings, digital radiographs, scanned referrals and financial records were irretrievable from the server. Regretfully, there have been some circumstances where appropriate backup has not been undertaken, compounding this loss.

Naturally, the members involved have been incredibly distressed as they no longer know who was attending the practice next and what treatment was still planned for any of their patients. Future complaints are possible in the absence of records to defend their care, and many practitioners are unaware of the legal and ethical implications of the data loss and their responsibilities in this area.

Let’s review some commonly asked questions from members.

What are my responsibilities around the loss of data?

Our online article Health privacy and how to report data breaches has previously discussed the issues relating to any need to report a data loss or breach to regulatory authorities.

The data breach must be assessed on whether the breach is notifiable and needs to be reported to the Office of the Australian Information Commissioner (OAIC). This is a critical step – not only are we professionals and should act accordingly, but also the fines for failing to report a notifiable breach are significant.

Whether notifiable to the OAIC or not, it is important to inform all affected patients of the event and your strategy to address data recovery or rebuilding. This can be extremely difficult if there is a total loss of the database. It is wise to ensure this communication indicates whether the patient’s data was breached or merely lost; the latter does not pose the same level of risk to affected patients in terms of their privacy and the risk of identity theft.

What recovery strategies are helpful?

It can be helpful to source as much information as possible from affiliated third parties to try to rebuild treatment histories. This can mean contacting health funds, dental laboratories, government agencies (such as Veteran’s Affairs, Medicare) and the specialist referral base to see if copies of some of the records can be obtained. There can be limitations on what information such bodies are prepared to provide. When received, this needs to be manually entered into a new database.

Within the practice, a robust manual system will be needed to create the new dental records. This will include systems to document clinical notes, infection control tracking, new medical histories and patient contact details for every patient and a temporary appointment book. Additionally, future radiographic and study model records would be created in most instances, at no charge.

What must I look for to ensure a robust IT system?

With most practices relying on practice management software and hardware, it is critical that secure offsite backup is in place. This backup should be automated to reduce human dependency and be located sufficiently remote from the practice to make catastrophic loss of all data sources unlikely. If backing up to the cloud rather than a physical drive, ensure all connections are securely encrypted and that the backup provider can demonstrate compliance with Australian Privacy Principles.

As many cloud services do not physically exist within our state, territory or country borders, there is an obligation to ensure that data being transferred is managed in accordance with these regulations.

It is prudent to regularly check the content of backups for the integrity of the data within. Backup drives must be securely stored, encrypted and password protected to minimise the risk of their loss or theft. They should not be plugged into a terminal behind a reception desk that might be regularly unmanned throughout the day while staff are assisting in clinical procedures.

Corrupt software can arise in many IT platforms and it is wise to have in place arrangements to keep critical software up to date. Vendors regularly supply patches to fix security and stability issues. A failure to access these updates may leave practice systems vulnerable.

Most practices will have an interface between their software and the internet and it is essential that firewalls, antivirus/malware protection and password protected access is in place for these systems. These should all be updated regularly.

Practices may also wish to appoint a privacy officer role to a member of staff, so that a trusted individual can oversee compliance with privacy and IT security and report any vulnerabilities or breaches to practice owners.

What if I am already doing all this? Is there anything else I should do?

At Dental Protection we recommend you plan for critical eventualities. It is likely that at some point in time your IT systems will go down and often patients will be in treatment at the time. Having a recovery plan in place can be invaluable in these situations and should outline the contact details of hardware and software vendors, backup details/locations, VPNs, ISP arrangements and contingencies (such as how to connect to cloud-based appointment books via secure mobile should the NBN be out of service). Having preprinted dental record templates (odontograms, headings for key consultation/examination findings, common item codes and their prices and so on) can simplify and facilitate the management of patients while systems are being restored.

Finally, it can be helpful to print the next day’s daysheet well before the close of business each day, and use it to ensure labwork has arrived, appointments have been confirmed, and antibiotic cover reminders have been given. These are of particular use if you arrive the next day at a practice only to see a blank screen remain when you turn your computer on!

Who said you don’t need paper anymore?

Further resources

Listen to Dental Protection's RiskBites podcast on Practical data protection

Read Dental Protection’s booklet The Privacy Act

© 2010-2024 The Medical Protection Society Limited

DPL Australia Pty Ltd (“DPLA”) is registered in Australia with ABN 24 092 695 933. DPLA is part of the Medical Protection Society Limited (“MPS”) group of companies. MPS is registered in England (No. 00036142) with its registered office at Level 19, The Shard, 32 London Bridge Street, London, SE1 9SG. All the benefits of MPS membership are discretionary, as set out in the Memorandum and Articles of Association.

“Dental Protection member” in Australia means a non-indemnity dental member of MPS. Dental Protection members may hold membership independently or in conjunction with membership of the Australian Dental Association (W.A. Branch) Inc. (“ADAWA”).

Dental Protection members who hold membership independently need to apply for, and where applicable maintain, an individual Dental Indemnity Policy underwritten by MDA National Insurance Pty Ltd (“MDA”), ABN 56 058 271 417, AFS

Licence No. 238073. DPLA is a Corporate Authorised Representative of MDA with CAR No. 326134. For such Dental Protection members, by agreement with MDA, DPLA provides point-of-contact member services, case management and colleague-to-colleague support.

Dental Protection members who are also ADAWA members need to apply for, and where applicable maintain, an individual Dental Indemnity Policy underwritten by MDA, which is available in accordance with the provisions of ADAWA membership.

None of ADAWA, DPLA and MPS are insurance companies. Dental Protection® is a registered trademark of MPS.

Before making a decision to buy or hold any products issued by MDANI, please consider your personal circumstances and the Important Information, Policy Wording and any supplementary documentation available by contacting DPLA on 1800 444 542 or via email.

For information on MPS and DPLA’s use of your personal data and your rights, please see our Privacy Notice.