woman sitting and desk with glasses wiping her eyes

7 steps to avoiding a human data breach

Human error continues to be a major cause of data breaches in healthcare. Here are seven steps to help you avoid one.

Ruanne Brell, BA LLB (Hons), Senior Legal Adviser, Advocacy, Education and Research, Avant

Tuesday, 9 September 2025

According to the most recent Notifiable Data Breaches Report released by the Office of the Australian Information Commissioner (OAIC), while malicious or criminal attacks accounted for the majority (69%) of all notifiable data breaches, human error continues to play a significant role. Between July and December 2024, 29% of breaches across all sectors were due to human error.  Health service providers were the largest source of notifications, reporting 20% of all data breaches.  

The most common mistake was sending personal information to the wrong email recipient. Other common errors included failure to use the BCC function and failure to properly redact information.

We’ve reviewed the OAIC report and calls to the Avant’s medico-legal advisory service about data breaches and have identified the following key learnings.

1. Check before pressing send

The most common human error in the July–December 2024 Notifiable Data Breaches report was personal information sent to the wrong email recipient, with this accounting for 42% of all human error breaches across all sectors.

This was also high on the list of reasons for members calling us for advice and is the source of considerable angst. It is an easy error to make if you are emailing or texting patients.

2. Check before mailing

We also had a number of calls where information was mailed to incorrect addresses or information intended for several recipients (such as recall letters) was included in one envelope.

While many practices are cautious about sending sensitive information electronically, it is important also to check you have robust procedures in place for mailing information.

3. Beware the autocorrect

Another emerging theme was the perils of auto text. This can be a problem in both email programs and word processing software, which may default to including recently or frequently used addresses.

This can contribute to the problem of information being sent to the incorrect address.

It could also lead to patient information in reports or referral letters being sent to the wrong provider.

4. Secure patient information

Laptops, USBs, logbooks, or physical files lost or stolen from homes, cars or public transport accounted for another significant group of calls.

While it is not possible to completely guard against theft, precautions can help – these include having protocols for when and how patient information can be taken out of the practice, password protection and encrypting files, remote access precautions and locking devices.

Protocols for ensuring devices can be remotely located or wiped and ensuring regular and secure back-ups not linked to your system will mean you can wipe devices without loss of data.

Where the loss or theft involved physical files, these were often found discarded, so it is equally important to report this to police.

5. Lock unattended devices

Reported data breaches also occurred when phones were left unlocked or with no password protection and computers left logged on and unattended.

Check the security settings on office computers and have appropriate controls on any devices that have access to patient information files.

6. Closed unused browser and application windows

Having multiple patient files open and flicking through them might be convenient, however, there have been reported cases where this has led to medication errors.

It was also resulted in the wrong patient information being inserted into referrals or pathology requests.

7. Be prepared

All these errors have the potential to lead to patient harm, as well as regulatory action and reputational damage.

The good news is that many of these breaches are preventable. In our experience the time taken to avoid a data breach is definitely preferable to the time and stress of having to respond to a breach.

Final suggestions

Review your privacy procedures and make sure that everyone in your practice, including temporary staff and contractors, understands their responsibilities.

You need a data breach response plan. Whether or not you have to report a data breach to the OAIC, you will need to be able to respond promptly and document what steps you have taken.

Even the most secure systems can be vulnerable to human error. Remind staff about the need for secure passwords and the dangers of phishing and other scams to gain access to your systems.

If you are not sure who is asking for information, always check.

Reference and further reading

Avant collection - Cyber: what you need to know

More information

For medico-legal advice, please contact us here, or call 1800 128 268, 24/7 in emergencies.

The information in this publication does not constitute legal, financial, medical or other professional advice and should not be relied upon as such. It is intended only to provide a summary and general overview on matters of interest and it is not intended to be comprehensive. Persons implementing any recommendations contained in this publication must exercise their own independent skill or judgement and seek appropriate professional advice relevant to their own particular circumstances. Compliance with any recommendations will not in any way guarantee discharge of the duty of care owed to patients and others coming into contact with the health professional or practice. Avant and its related entities are not responsible to any person for any loss suffered in connection with the use of this information. Information is only current at the date initially published.

Topic

Other resources

Boxes with a tick

Cyber security checklist

padlock image on spring

Responding to a cyber security incident

User typing on keyboard securely

Preventing data breaches

More ways we can help you

Indemnity insurance
Health insurance
Practice solutions
Finance
Legal services
Life & income protection

Our CPD courses for Avant members

Tick off some CPD hours and learn more with our in-depth eLearning courses, free for Avant members. Our courses include education activities, reviewing performance and measuring outcomes. 

Learn now

Need support?

Dealing with a medico-legal issue can be stressful. Find out how Avant and other organisations can help.

Key support services
To Top

NSW State Office AddressLevel 6, Darling Park 3, 201 Sussex Street, Sydney NSW 2000
Telephone 02 9260 9000 | Facsimile 02 9261 2921

Mailing addressPO Box 746 Queen Victoria Building NSW 1230

Connect with Avant

facebookxlinkedininstagramyoutube

In the spirit of reconciliation, Avant acknowledges the Traditional Custodians of Country throughout Australia, and their connections to land, sea and community. As a national organisation, we pay our respects to Elders past and present, of the lands on which we gather and work, and extend that respect to all Aboriginal and Torres Strait Islander peoples.

IMPORTANT: Professional indemnity insurance and the Practice Medical Indemnity Policy available from Avant Mutual Group Limited ABN 58 123 154 898 (Avant Mutual) are issued by Avant Insurance Limited, ABN 82 003 707 471, AFSL 238 765 (Avant). Avant Cyber Insurance cover is available to eligible Avant Practice Medical Indemnity Policy holders up to the cessation of their policy and is provided under a Group Policy between Liberty Mutual Insurance Company ABN 61 086 083 605 (Liberty) and Avant. Private health insurance products are issued by The Doctors’ Health Fund Pty Limited, ABN 68 001 417 527, a member of the Avant Mutual Group. Avant arranges Avant Business Insurance as agent of the insurer Allianz Australia Insurance Limited ABN 15 000 122 850, AFSL 234 708 (Allianz) and may receive a commission on each policy arranged. Avant Travel Cover is available under a Group Policy between QBE Insurance (Australia) Limited, ABN 78 003 191 035, AFSL 239 545 (QBE) and Avant Mutual. Avant Travel Cover is underwritten by QBE and Avant may receive a benefit for arranging cover. Avant Finance is a registered business name of Avant Doctors’ Finance Pty Ltd (ACN 637 769 361) and licensed to Avant Doctors’ Finance Brokers Pty Ltd (ABN 75 640 406 784). Avant Doctors’ Finance Brokers Pty Ltd is a wholly owned subsidiary of Avant Doctors’ Finance Pty Ltd. Loan products may be provided by Avant Doctors’ Finance Pty Ltd or arranged by Avant Doctors’ Finance Brokers Pty Ltd. Credit services or assistance to which the National Credit Code applies are provided by Avant Doctors’ Finance Brokers Pty Ltd as authorised Credit Representative (Credit Representative Number 523242) for LMG Broker Services Pty Ltd ACN 632 405 504 Australian Credit Licence 517192. Legal services are provided by Avant Law Pty Ltd ABN 63 136 429 153 (Avant Law). Liability limited by a scheme approved under Professional Standards Legislation. Legal practitioners employed by Avant Law are members of the scheme.



The information provided on this website is general advice only and has been prepared without taking into account your objectives, financial situation and needs. You should consider these, having regard to the appropriateness of the advice before deciding to purchase or continue to hold these products. For full details including the terms, conditions, and exclusions that apply, please read and consider the relevant Product Disclosure Statement or policy wording and Target Market Determination (TMD) which are available on this website or by contacting us on 1800 128 268. Information on this site does not constitute legal or professional advice, and is current as at the date of initial publication.