Legal Templates

How to Effectively Handle a Breach of Confidentiality

How to Handle a Breach of Confidentiality

What to do when private information slips out, and how to stop it from happening again.

Last Updated

Carly Reinhart

Written by

Carly Reinhart

Carly Reinhart
Written by
Carly Reinhart

Carly Reinhart is an SEO content writer with a Bachelor of Arts in Political Science and a Digital Marketing degree from McMaster University. She has a strong background in writing and editing for SaaS and tech brands, delivering well-researched content that's built to perform.

Full Bio Editorial Guidelines
Sara Hostelley

Fact-checked by

Sara Hostelley

Sara Hostelley
Fact-checked by
Sara Hostelley

Sara Hostelley is a legal content editor with a bachelor’s degree in English from the University of South Florida. She has over five years of experience crafting informative content across industries, including career, legal, and business sectors, with a focus on making complex topics more accessible to users.

Full Bio Editorial Guidelines
Harvey Barbee, J.D.

Legally reviewed by

Harvey Barbee, J.D.

Harvey Barbee, J.D.
Legally reviewed by
Harvey Barbee, J.D.

Harvey Barbee is an attorney with 15 years of legal experience in family law, criminal law, personal injury, and civil litigation. He graduated with a bachelor's degree in political science and a juris doctor from the University of North Carolina School of Law. He's an active member of the North Carolina State Bar, North Carolina Bar Association, and Greensboro Bar Association.

Full Bio Editorial Guidelines

A breach of confidentiality doesn’t always make headlines. It can be as simple as an email sent to the wrong person or a file shared without proper approval. Once sensitive information leaves the circle of people who should see it, you lose control over how far it spreads.

A breach can escalate quickly. When private details slip out, they can move in ways you didn’t anticipate. Understanding what counts as a breach helps you gauge the impact and decide what to do next. To do that, it helps to know what confidentiality actually protects and when that duty applies.

What Is a Breach of Confidentiality?

A breach of confidentiality happens when someone accesses, uses, or shares information they weren’t authorized to handle. It can be intentional or accidental. What matters is that the information crossed a boundary the owner didn’t allow. Once that happens, the duty to protect it is broken.

More than a century ago, Louis Brandeis and Samuel Warren warned that “what is whispered in the closet shall be proclaimed from the house-tops.” That warning feels sharper today, when a single screenshot or forwarded file can move confidential information anywhere in seconds.

What Makes Information Confidential?

Information is confidential when a contract, a law, a professional duty, or a clear expectation of privacy requires someone to protect it. That protection might come from a written agreement, workplace rules, or legal limits on who can access certain details. No matter the situation, the point remains the same: the information wasn’t intended for anyone else. These protections fall into a few main categories.

Agreements That Keep Information Private

Some information stays confidential because people agreed to keep it private. For example, NDAs and vendor agreements can set clear rules about what information can be shared and who can access it. Workplaces may use job contracts to implement similar rules about protecting internal details, such as:

  • Client lists
  • Pricing or financial information
  • Strategic plans
  • Sensitive business or customer data

By defining these protections in written agreements, businesses can protect themselves against financial losses, damaged trust, and unfair advantages for competitors. If you need to set those rules in writing, you can use a free confidentiality agreement or non-disclosure agreement (NDA) template to define what needs to stay private.

Courts protect certain conversations even without a contract, as long as both people meant the discussion to stay private. In some states, for example, both spouses can block each other from revealing private marital conversations.

Laws That Control Access to Sensitive Details

Some information stays private because the law requires it. For example, the Privacy Act of 1974 limits what the federal government can disclose without consent. Health information faces even tighter rules under HIPAA. The law protects any health, treatment, or payment information that can be linked to a specific person and is held by a covered entity or its business associate. That includes:

  • Medical records and diagnoses
  • Test results and treatment notes
  • Billing and payment details
  • Any identifiers tied to a patient’s health information

A healthcare breach can trigger fines, investigations, or mandatory reporting. Federal agencies follow similar principles when handling their own records. Under the Freedom of Information Act (FOIA), certain categories of information stay protected and cannot be released, including:

  • Personal privacy files
  • Privileged government materials
  • Law-enforcement records
  • Trade secrets held by agencies

States add their own limits for juvenile records, child-abuse reports, and other restricted documents. Together, these laws set firm boundaries on who can see sensitive information and why.

Information With Real Business or Research Value

Some information stays confidential because it carries economic or research value. Trade secrets fall into this category and can include formulas, processes, or methods that a company protects through security measures.

Research institutions follow similar principles and put firm limits on who can access sensitive research information. IRB standards and data-use agreements work together to restrict access to:

  • Human subject research files
  • Unpublished findings
  • Sensitive or restricted datasets

Stanford explains that these protections apply whenever a study involves identifiable information or direct contact with participants. These safeguards keep sensitive data in the hands of people who are authorized to use it. If your team creates products, tools, or proprietary methods, a confidential information and invention assignment agreement can help you protect both the information and the ownership rights.

Trade Secrets Taken to a New Startup

Tesla sued a former engineer after he downloaded confidential robotics files onto personal devices and left to form a competing startup. 

The company claims he copied sensitive Optimus hand-design data and used it to build similar technology months later. It’s a clear example of how trade secrets can be accessed by the wrong person when controls are weak.

Professions That Require Strict Confidentiality

Some professions have to protect client information at all times. Lawyers, doctors, therapists, and accountants follow strict confidentiality rules, and these duties usually continue long after the relationship ends.

When Can a Lawyer Breach Confidentiality?

A lawyer can only break confidentiality in a few narrow situations. According to the American Bar Association, a lawyer may be able to breach confidentiality in the following cases:

  • To prevent serious harm
  • To comply with a court order
  • To respond to claims of fraud involving the lawyer’s services

The ABA also allows disclosure in a few other rare cases. For example, a lawyer may reveal limited information to get ethics advice, defend themselves against a client’s accusations, collect a fee, or follow another law that requires disclosure. An attorney’s breach of confidentiality, without authorization from their client, outside these specific exceptions, can violate professional-conduct rules and lead to discipline.

When Can a Therapist Breach Confidentiality?

There’s some crossover with the rules for lawyers, but therapists follow their own ethical code. Therapists can break confidentiality only in very limited situations, such as:

  • When someone is in immediate danger
  • When abuse must be reported
  • When a mandatory reporting law applies
  • When the law requires disclosure for a valid purpose, like getting professional consultation or protecting someone from harm

These exceptions come from the American Psychological Association’s Ethics Code, which sets strict rules for when information can be shared. Anything outside these narrow situations is still confidential.

Breach of Confidentiality Examples​

Breaches happen in workplaces, hospitals, and research settings, and the impact can be serious. You’ll see it in situations like these:

  • An employee uses a client list to launch a competing business.
  • A worker sells confidential product details to a rival.
  • A service provider mishandles sensitive information you trusted them with.
  • A company exposes private files on its website by mistake.
  • Someone discloses medical records without permission, which counts as a breach of confidentiality in healthcare.
  • A researcher shares unpublished findings with someone outside the project.
  • A job candidate breaks an interview NDA by sharing details from the process.

UCLA Health fired multiple employees after they opened celebrity patient records without a valid reason. No one shared the information, but the act of looking was enough. Accessing medical files you are not authorized to see still counts as a confidentiality breach.

How to Deal With a Breach of Confidentiality

A breach of confidentiality can unfold in an instant. Maybe someone opens a file without permission or forwards a link that was meant to stay internal. Sometimes a device goes missing with sensitive data on it. Whether it happens by accident or through misuse, the risk to your business is the same. These steps help you limit the damage and protect yourself.

1. Secure Any Exposed Information

Start by stopping the leak. If the breach involves digital data, isolate the device so no one can keep accessing the files. Then lock things down so the issue can’t spread.

  • Change passwords and update credentials.
  • Restrict access and freeze any affected accounts.
  • Remove anything posted or shared online.
  • Secure physical records by closing off the room and moving documents to a safe place.

Once everything is contained, you can step back and assess the situation clearly.

2. Check Your NDA or Confidentiality Clause

Next, look at the agreement that governs the information. NDAs and confidentiality clauses often include the required steps after a breach of confidentiality, including notice timelines and reporting rules. Following those terms gives you leverage and keeps problems to a minimum.

3. Determine How Serious the Breach Is

Gauge the extent of the breach. Look at the type of information that leaked and the harm it could cause. See if the breach is still happening. Check how many people or systems were exposed, and confirm if safeguards like passwords or encryption were in place. Some situations carry more weight than others.

  • Trade secrets can lose protection if a disclosure makes them public.
  • Personal data may trigger legal notice and extra compliance steps.

Once you understand the scope, you can decide how aggressive your next steps need to be.

4. Write Down Exactly What Happened

Build a simple timeline. Record the dates, the information exposed, the people involved, and how you discovered the breach of confidentiality. These notes could become your anchor later on. Having clear documentation can show that you took the incident seriously. 

5. Collect Evidence

Once you’ve mapped out the timeline, review the materials that show how the breach occurred. The goal here is to understand the source of the disclosure, how the information moved, and who had access. This gives you the clarity you need to address the issue internally and prevent it from happening again. Helpful records often include:

  • The NDA or confidentiality clause
  • Emails, messages, or files involved in the disclosure
  • Access logs, timestamps, or metadata
  • Notes from anyone who witnessed the incident
  • Version histories or system logs tied to the document

If the breach involves digital systems, you may need basic forensic details that show when a file was viewed, downloaded, or shared. Avoid deleting anything, even if it seems small. A complete record helps you see what went wrong and why.

Most businesses try to resolve confidentiality issues outside of court, but if the situation escalates, these records can also help you meet the burden of proof by showing what happened and how.

6. Notify the People Affected

Once you understand the impact, contact the people who need to know. That may include clients, partners, or internal teams. Early notice helps them protect themselves. Keep your message simple. Explain what happened, what you fixed, and any next steps. Letters, email, or secure portals all work. 

7. Report the Breach

After you reach out to the people affected, report the breach. Every situation has its own channel, and getting it to the right one helps the issue move forward.

  • Hacking or theft goes to law enforcement.
  • Workplace issues go to HR or a supervisor.
  • Medical information goes to privacy or compliance staff.
  • Research data goes to the IRB or the school office.
  • NDA issues go to the counterparty.
  • Vendor-related issues go to the service provider.

Keep in mind that leaks involving personal data, such as Social Security numbers or medical details, may also require extra notice under privacy laws. 

What Can I Do if My Employer Breached Confidentiality?

Some states require employers to notify workers when employee data leaks. And a few mandate identity-theft protection if Social Security numbers or financial details were exposed.

You can also report the issue to labor boards or privacy regulators. An employment lawyer can walk you through your options and help you respond to a breach of confidentiality at work.

When the dust settles and you have a clearer view, consider consulting a lawyer. They can tell you whether you have an enforceable NDA or other contract and which claims are valid. NDAs must be reasonable, and every contract needs an exchange of value, known as consideration, to be valid. You also need to show you took real steps to protect the information. Possible claims include:

  • Breach of contract
  • Trade secret misappropriation
  • Breach of fiduciary duty
  • Copyright or patent misuse
  • Conversion
  • Trespass if physical access was involved
  • RICO if the conduct was repeated and coordinated

A breach of confidentiality lawyer can explain your options and help you recover losses. They can also help you decide how far you want to take the case.

What You Can Recover After a Confidentiality Breach

When someone breaches confidentiality, you can ask the court for different types of remedies. Each one serves a specific purpose, and some apply only in certain situations. Knowing what’s available helps you understand what a court might award and what your case is worth.

Type of RemedyWhat You Can Recover
Actual DamagesCompensation for lost revenue, lost clients, mitigation costs, and reputation harm.
DisgorgementProfits that the offender earned from the use of your confidential information.
Punitive DamagesExtra penalties if the breach was intentional, reckless, or malicious.
Injunctive ReliefA court-mandated order demanding that the offender stop using or sharing your information.
Other RemediesReturn/destruction of all copies, costs of court, attorney’s fees (if allowed), trade secret penalties (double damages in some states).

These remedies give you a path to recover your losses and stop any ongoing misuse. Your lawyer can tell you which options fit your situation and how strong your claim is. The goal is to protect your information and make sure the breach doesn’t cause more damage going forward.

Courts may want to see that you tried to secure your information before the breach. If a trade secret was involved, you also need proof that you used reasonable secrecy measures.

How to Tell Someone They Breached Confidentiality

When you notify someone about a confidentiality breach, keep it clear and controlled. Your notice should explain the duty they had, what happened, the proof you have, and what you expect them to do next.

You can send a direct letter, an attorney letter, a cease and desist, or a demand letter. Pick the format that fits the seriousness of the breach. Include a few key points:

  • A clear deadline to respond
  • Instructions on who to contact
  • How you plan to send future updates
  • Only the facts, without revealing sensitive details

If you want a letter you can send today, Legal Templates has a violation of NDA cease and desist letter and a breach of contract demand letter ready for you to customize. 

What to Do If You Breached Confidentiality

If you breached confidentiality, act quickly. Start by writing down exactly what happened so you have a clear timeline of the mistake. Then secure anything you exposed by deleting stray copies, updating access, or tightening passwords on affected accounts.

Once things are contained, notify the person or business affected. Give a clear explanation of what leaked, how it happened, and what you’ve already done to limit the damage.

Follow any reporting steps in your NDA or contract, then fix what you can by pulling back files or adjusting permissions. If the breach involved medical, financial, or student information, complete any required legal reporting. The goal is to control the impact, communicate clearly, and make sure the issue doesn’t happen again.

Avoid the Same Mistake Twice

If you want a clearer sense of what NDAs cover and how they set confidentiality rules, read Should You Sign That NDA? Here’s Why (And Why Not) to Sign. It helps you understand your limits before you agree to them.

How to Prevent the Next Confidentiality Breach

Confidentiality law is designed to protect sensitive information, and your ability to enforce it depends on the protections you put in place. If you protect information on the front end, you have the right to hold someone accountable on the back end. Strong controls make that possible and cut the risk of another breach. To strengthen your protections:

  • Limit access to a need-to-know basis and label sensitive documents clearly.
  • Add watermarks and timestamps so you can see how information moves.
  • Train your team so everyone follows the same rules.
  • Check that your partners use solid security practices.
  • Review permissions often and keep access tight.

These steps work together. They lower your risk and make your NDAs and confidentiality agreements easier to enforce if someone shares information they shouldn’t. When your protections stay tight, your confidential information stays where it belongs.

Written by

Carly Reinhart

Carly Reinhart

Content Writer

Carly Reinhart is an SEO content writer with a Bachelor of Arts in Political Science and a Digital Marketing degree from McMaster University. She has a strong background in writing and editing for SaaS and tech brands, delivering well-researched content that's built to perform.

Fact-checked by

Sara Hostelley

Sara Hostelley

Legal Content Editor

Sara Hostelley is a legal content editor with a bachelor’s degree in English from the University of South Florida. She has over five years of experience crafting informative content across industries, including career, legal, and business sectors, with a focus on making complex topics more accessible to users.

Legally reviewed by

Harvey Barbee, J.D.

Harvey Barbee, J.D.

Legal Editor

Harvey Barbee is an attorney with 15 years of legal experience in family law, criminal law, personal injury, and civil litigation. He graduated with a bachelor's degree in political science and a juris doctor from the University of North Carolina School of Law. He's an active member of the North Carolina State Bar, North Carolina Bar Association, and Greensboro Bar Association.

Related Articles