The difference between a privacy and confidentiality breach

In August 2024, an exposed database belonging to Confidant Health revealed 5.3 terabytes of sensitive health data, including confidential therapy session details and personal patient information. But what is the difference between a confidentiality and privacy breach?

A privacy breach is when personal information is collected, accessed, used, or disclosed in a way that violates an individual’s right to privacy. Meanwhile, a confidentiality breach occurs when sensitive information that was shared in confidence is improperly disclosed to unauthorized individuals.

What is a privacy breach?

Any collection, access, use, or disclosure of personal data that infringes against an individual's right to privacy is considered a privacy breach. This typically involves the exposure of protected personal data without proper authorization or legal justification.

Examples of privacy breaches:

• A hospital employee accesses a patient’s medical records out of curiosity, even though they are not involved in the patient’s care.
• A healthcare provider shares a patient’s medical information with an insurance company without the patient’s consent.
• A cybersecurity breach exposes patient records stored in an electronic health record (EHR) system.

Privacy breaches are often governed by legal frameworks such as the Health Insurance Portability and Accountability Act (HIPAA) in the U.S. and other national data protection laws. Violations can lead to severe legal penalties, financial consequences, and reputational damage.

Read also: What is HIPAA?

What is a confidentiality breach?

When sensitive material supplied in trust is mistakenly revealed to unauthorized parties, this constitutes a confidentiality breach. Unlike a privacy breach, which involves violating legal protections, a confidentiality breach is primarily about breaking a trust agreement between two parties.

Examples of confidentiality breaches:

• A doctor discusses a patient’s diagnosis with a friend, despite the patient trusting them to keep the information confidential.
• A nurse shares patient details in a public setting where others can overhear.
• A researcher discloses confidential study participant data without anonymizing it.

Confidentiality breaches can violate ethical codes (such as those set by medical boards), professional agreements, or workplace policies. Although they may not always be legally actionable in the same way as privacy breaches, they can result in disciplinary action, loss of professional licenses, and loss of trust from patients and colleagues.

See also: Safeguarding patient confidentiality during information requests

Confidentiality vs privacy breaches

In healthcare, all confidentiality breaches are privacy breaches, but not all privacy breaches involve a breach of confidentiality. This means that all breaches of confidentiality in healthcare involve the mishandling of sensitive data, which can also lead to privacy violations. However, a privacy breach doesn’t always stem from a broken confidentiality agreement.

Related: Privacy vs confidentiality in healthcare

How to prevent privacy and confidentiality breaches

Organizations and healthcare professionals must take proactive steps to protect both privacy and confidentiality:

• Follow legal and ethical guidelines such as HIPAA, GDPR, or national data protection laws.
• Limit access to sensitive information based on roles and responsibilities.
• Implement strong cybersecurity measures to prevent unauthorized access to data.
• Educate employees on proper data handling and the importance of confidentiality.
• Avoid discussing sensitive information in public spaces or with unauthorized individuals.

FAQS

Can a patient sue a healthcare provider for a data breach?

Yes. If a confidentiality or data breach causes harm (e.g., emotional distress, financial loss, reputational damage), the patient may file a lawsuit for damages. The provider may also face disciplinary action from medical boards.

What role does cybersecurity play in preventing privacy breaches?

Cybersecurity protects patient privacy. Key measures include:

• Data encryption to prevent unauthorized access.
• Two-factor authentication (2FA) for secure logins.
• Firewalls and antivirus software to block cyberattacks.

Regular security audits to detect vulnerabilities.