Membership information 1800 444 542
Dentolegal advice 1800 444 542

Data loss and breaches: avoiding the screen of death

30 October 2020

Calls to Dental Protection for advice regarding practice data corruption or loss are occurring with increased frequency. Dr Simon Parsons, Dentolegal Consultant at Dental Protection, explores the facts


Incidents we have assisted members with have varied in severity. However, in some cases, despite the best efforts of IT experts, all clinical records, including treatment notes, chartings, digital radiographs, scanned referrals and financial records, were irretrievable from the server. Regretfully, there have been some circumstances where appropriate backup has not been undertaken, compounding this loss.

Naturally, the members involved have been incredibly distressed as they have an inability to know who was attending the practice next to see them, and what treatment was still planned for any of their patients. There is exposure to future complaints in the absence of records to defend their care, and many practitioners are unaware of any legal and ethical implications of the data loss and their responsibilities in this area.

Let’s review these concerns in the context of some commonly asked questions.

What are my responsibilities around the loss of data?

We’ve previously discussed the issues relating to any need to report a data loss or breach to regulatory authorities in our article “Health privacy and how to report data breaches”.

The data breach must be assessed regarding whether the breach is notifiable and needs to be reported to the Office of the Australian Information Commissioner (OAIC). This is a critical step as, not only are we professionals and should act accordingly, but also the fines for failing to report a notifiable breach are significant.

Whether notifiable to the OAIC or not, it is important to inform all affected patients of the event and of your strategy to address data recovery or rebuilding. This can be extremely difficult if there is a total loss of the database. It is wise to ensure this communication indicates whether the patient’s data was breached or merely lost; the latter does not pose the same level of risk to affected patients in terms of their privacy and the risk of identity theft.

What recovery strategies are helpful?

It can be helpful to source as much information as possible from affiliated third parties to try to rebuild treatment histories. This can mean contacting health funds, dental laboratories, government agencies (eg Veteran’s Affairs, Medicare) and the specialist referral base to see if copies of some of the records could be obtained. There can be limitations to what information such bodies are prepared to provide. When received, this needs to be manually entered into a new database.

Within the practice, a robust manual system will be needed to create the new dental records. This will include systems to document clinical notes, infection control tracking, new medical histories and patient contact details for every patient, and a temporary appointment book. Additionally, future radiographic and study model records would be created, in most instances, at no charge.

So what must I look for to ensure a robust IT system?

With most practices relying on practice management software and hardware, it is critical that secure offsite backup is in place. This backup should be automated to reduce human dependency and be located sufficiently remotely to the practice to make catastrophic loss of all data sources unlikely. If backing up to the cloud rather than a physical drive, ensure all connections are securely encrypted and that the backup provider can demonstrate compliance with Australian Privacy Principles, such as OAIC’s Privacy for health service providers and the IPC’s Health Privacy Principles.

As many cloud services do not physically exist within our state, territory or country borders, there is an obligation to ensure that data being transferred is managed in accordance with these regulations.

It is prudent to regularly check the content of backups for the integrity of the data within. Backup drives must be securely stored, encrypted and password protected to minimise the risk of their loss or theft. They should not be plugged into a terminal behind a reception desk, which might be regularly unmanned throughout the day while staff are assisting in clinical procedures.

Corrupt software can arise in many IT platforms and it is wise to have in place arrangements to keep critical software up-to-date. Vendors regularly supply patches to fix security and stability issues. A failure to access these updates may leave practice systems vulnerable.

Most practices will have an interface between their software and the internet and it is essential that firewalls, antivirus and malware protection and password-protected access is in place for these systems. These should all be updated regularly.

Practices may also be wise to appoint a privacy officer role to a member of staff so that a trusted individual can oversee compliance with privacy and IT security, and report any vulnerabilities or breaches to practice owners.

What if I am already doing all this? Is there anything else I should do?

At Dental Protection we recommend you plan for critical eventualities. It is likely that at some point in time your IT systems will go down and often patients will be in treatment at the time. Having a recovery plan in place can be invaluable in these situations and should outline the contact details of hardware and software vendors, backup details and locations, VPNs, ISP arrangements and contingencies (such as how to connect to cloud-based appointment books via secure mobile should the NBN be out of service). Having preprinted dental record templates (odontograms, headings for key consultation and examination findings, common item codes and their prices and so on) can simplify and facilitate the management of patients while systems are being restored.

Finally, it can be helpful to print the next day’s daysheet well before the close of business each day, and use it to ensure labwork has arrived, appointments have been confirmed and antibiotic cover reminders have been given. These are of particular use if you arrive the next day at a practice only to see a blank screen when you turn your computer on!

Who said you don’t need paper anymore?

Further resources

RiskBites – Dental Protection’s podcast series, Practical Data Protection

Dental Protection, The Privacy Act

© 2010-2023 The Medical Protection Society Limited

DPL Australia Pty Ltd (“DPLA”) is registered in Australia with ABN 24 092 695 933. Dental Protection Limited (“DPL”) is registered in England (No. 2374160) and along with DPLA is part of the Medical Protection Society Limited (“MPS”) group of companies. MPS is registered in England (No. 36142). Both DPL and MPS have their registered office at Level 19, The Shard, 32 London Bridge Street, London, SE1 9SG. DPL serves and supports the dental members of MPS. All the benefits of MPS membership are discretionary, as set out in MPS’s Memorandum and Articles of Association.
“Dental Protection member” in Australia means a non-indemnity dental member of MPS. Dental Protection members may hold membership independently or in conjunction with membership of the Australian Dental Association (W.A. Branch) Inc. (“ADAWA”).
Dental Protection members who hold membership independently need to apply for, and where applicable maintain, an individual Dental Indemnity Policy underwritten by MDA National Insurance Pty Ltd (“MDANI”), ABN 56 058 271 417, AFS Licence No. 238073. MDANI is a wholly-owned subsidiary of MDA National Limited, ABN 67 055 801 771. DPLA is a Corporate Authorised Representative of MDANI with CAR No. 326134. For such Dental Protection members, by agreement with MDANI, DPLA provides point-of-contact member services, case management and colleague-to-colleague support.
Dental Protection members who are also ADAWA members need to apply for, and where applicable maintain, an individual Dental Indemnity Policy underwritten by MDANI, which is available in accordance with the provisions of ADAWA membership.
None of ADAWA, DPL, DPLA and MPS are insurance companies. Dental Protection® is a registered trademark of MPS.

Before making a decision to buy or hold any products issued by MDANI, please consider your personal circumstances and the Important Information, Policy Wording and any supplementary documentation available by contacting the DPL membership team on 1800 444 542 or via email.