Medical Practice Faxes Patient Data to Wrong Number

The Scenario

It is an ordinary Monday morning at the family medical practice of Dr. Claudia Werner in Dusseldorf, Germany. The practice serves around 1,200 patients per quarter, and like many medical offices across Europe, the fax machine remains a daily workhorse. Referral letters, lab results, specialist reports — a significant portion of medical communication still travels by fax.

Medical assistant Sandra Meier has a stack of outgoing documents to process that morning. Three patients need their lab results forwarded to specialists, two referral letters must go to a radiology center, and a detailed medical report containing diagnoses, a medication plan, and treatment recommendations needs to reach a colleague at a group practice across town.

Sandra keys in the fax number for Dr. Hoffmann's specialist practice: 0211-8834521. She transposes two digits, entering 0211-8834512 instead. The fax machine whirs, transmits all six pages, and displays "Transmission OK." Sandra checks the task off her list and moves on to the next patient file.

The wrong number belongs to KreativPuls GmbH, a small advertising agency three streets away. The fax lands in their communal break room, right next to the coffee machine. Agency owner Markus Bender finds the six pages in the output tray during his morning coffee run. He is looking at complete blood work panels including HIV and hepatitis screening results for three patients, a referral letter noting a suspected diagnosis of major depression, and a detailed medication plan listing antidepressants and anxiolytics. Every page carries the patients' full names, dates of birth, home addresses, and health insurance numbers.

Markus recognizes one of the patients — Thomas Richter, his next-door neighbor. He inadvertently learns about Thomas's psychiatric treatment, the prescribed antidepressants, and his extended sick leave. The information spreads when Markus makes an offhand remark to a mutual acquaintance at a weekend barbecue.

Two days pass before the practice realizes that Dr. Hoffmann never received the results. Sandra checks the fax transmission log, spots the transposed digits, and alerts Dr. Werner. By then, the sensitive health records of five patients have been in unauthorized hands for 48 hours.

The Risks

Accidentally faxing patient data to the wrong recipient is one of the most common data protection incidents in the healthcare sector. The risks are far-reaching and, once the fax is sent, virtually impossible to contain.

Uncontrollable data exposure. Once a fax is transmitted, there is no way to recall it. Unlike an email, a fax cannot be retracted or remotely deleted. The sending practice has zero control over who picks up the document at the receiving machine, who reads it, who copies it, or who photographs it with a phone. In this scenario, the pages sat openly in an agency break room for hours, potentially seen by employees, cleaning staff, or visitors.

Special category personal data. Health data falls under Article 9 of the GDPR and carries the highest level of protection under European law. Information about diagnoses, medications, psychiatric conditions, or test results is profoundly sensitive. Unauthorized disclosure can have life-altering consequences for the individuals involved — from workplace stigmatization to difficulties obtaining insurance or credit.

Erosion of patient trust. The physician-patient relationship is built on confidentiality. When patients learn that their most intimate health information was carelessly exposed, many will change doctors. In smaller communities, a single incident can permanently damage a practice's reputation. For Thomas Richter, the consequences were deeply personal: his social circle learned about his mental health condition through neighborhood gossip, a breach of trust that no apology can undo.

No audit trail. A fax transmission report only confirms that data was sent to a number. It provides no evidence of who actually received the document, whether copies were made, or whether the data was shared further. The comprehensive documentation required by the GDPR is simply impossible to achieve with fax technology.

Delayed detection. Misdirected faxes are frequently discovered days or weeks after the fact — if they are discovered at all. During that window, the data may have been copied, photographed, discussed, or discarded in unsecured waste.

Legal Consequences

The legal ramifications of such an incident in a medical practice are particularly severe because multiple areas of law converge simultaneously.

GDPR violations. Processing special categories of personal data is governed by Article 9 GDPR. Sending such data by fax to an unintended recipient constitutes a failure to implement appropriate technical and organizational measures under Article 32 GDPR. Multiple European data protection authorities have stated that fax transmission is no longer considered a secure communication channel for sensitive data, particularly since modern fax machines frequently route transmissions over unencrypted VoIP connections.

Notification obligations under Articles 33 and 34 GDPR. The incident must be reported to the competent supervisory authority within 72 hours. Because there is a high risk to the rights and freedoms of the affected individuals — health data, full names, addresses — the practice must also notify each affected patient individually without undue delay. The notification must describe the nature of the breach, the categories of data involved, the likely consequences, and the measures taken to address it.

Medical confidentiality under German criminal law (Section 203 StGB). In Germany, the violation of professional secrecy by physicians and their staff is a criminal offense. Even if the fax was sent negligently, a criminal investigation may be initiated if an affected patient files a complaint. Intentional violations carry penalties of up to one year of imprisonment or fines.

Professional regulatory consequences. The relevant medical chamber can initiate disciplinary proceedings. In serious cases, sanctions range from formal reprimands to temporary suspension of the right to practice. The absence of adequate protective measures or a pattern of repeated incidents significantly aggravates the assessment.

Civil liability. Affected patients can claim compensation for both material and non-material damages under Article 82 GDPR. In the case of Thomas Richter, whose psychiatric condition became known in his social environment, pain and suffering claims in the five-figure range are realistic under established German case law.

Financial Impact

Cost Item	Estimated Amount
GDPR fine (supervisory authority)	10,000 – 50,000 €
Legal counsel and representation	5,000 – 15,000 €
Compensation claims from affected patients	5,000 – 25,000 €
Individual patient notification (Art. 34)	500 – 2,000 €
Data protection impact assessment and expert report	3,000 – 8,000 €
Implementation of new technical measures	2,000 – 10,000 €
Revenue loss from patient attrition	10,000 – 30,000 €
Staff training and process redesign	1,500 – 5,000 €
Reputation management and communications	3,000 – 15,000 €
Total	40,000 – 150,000 €

These estimates are based on documented cases and fine decisions by German supervisory authorities. In particularly severe cases or where repeat offenses are involved, fines can be substantially higher.

How to Prevent This

Modern digital solutions like SendMeSafe eliminate the risks of fax transmission entirely while providing a more efficient workflow for everyday practice operations.

Upload links for patients and referring physicians. Instead of faxing results, the practice creates a personalized upload link for the receiving specialist. The link is password-protected, can be set with an expiration date, and ensures that only the authorized recipient gains access. The transfer is encrypted end-to-end. A transposed digit in the recipient's contact information becomes irrelevant because the link is sent directly to a verified email address — and even if the email were misdirected, the password requirement prevents unauthorized access.

Secure share links for document exchange. For actively sending documents — such as medical reports, lab results, or referral letters — share links provide a secure alternative to fax. The practice uploads the documents, sets a password and a maximum number of downloads, and sends the link to the recipient by email. Files are stored encrypted on European servers and automatically deleted after expiration.

Complete audit trail. Every action is logged — from upload to access to download. The practice can demonstrate at any time exactly who received which data and when. This traceability fulfills the GDPR requirements for documentation of technical and organizational measures and protects the practice during audits by the supervisory authority.

Seamless integration into daily operations. The transition requires no complex IT infrastructure. SendMeSafe runs in the browser — medical assistants can securely send and receive documents within minutes. It saves time, reduces error sources, and provides both the practice team and patients with the confidence that sensitive data is protected.

Frequently Asked Questions

Is it still legal for medical practices to send faxes?

Faxing is not outright prohibited. However, multiple German data protection supervisory authorities — including those in Bremen, Hesse, and Bavaria — have explicitly stated that fax is no longer considered a GDPR-compliant method for transmitting sensitive health data. The reason is that modern fax machines typically use Voice-over-IP connections that are not consistently encrypted. The responsibility for secure transmission lies with the sending practice. In the event of a data breach, the practice must demonstrate that it implemented appropriate technical measures — and a fax machine will fail that test in the vast majority of cases. Similar guidance has been issued by supervisory authorities across the EU.

What must a medical practice do if patient data was faxed to the wrong number?

There are clear obligations to follow. The incident must be documented internally without delay. Within 72 hours, a report must be filed with the competent data protection supervisory authority (Article 33 GDPR). If there is a high risk to the affected patients — which is regularly the case with health data — the patients must be notified individually and without undue delay (Article 34 GDPR). Additionally, the practice should contact the unintended recipient and request immediate destruction of the documents, though it has no legal mechanism to enforce this.

What fines can a medical practice face for a GDPR breach?

The GDPR provides for fines of up to 20 million euros or 4 percent of annual worldwide turnover. In practice, fines imposed on individual medical practices typically range from 5,000 to 50,000 euros. The amount depends on factors such as the severity of the breach, the nature of the affected data, the number of individuals affected, whether the breach was intentional or negligent, and what measures the practice took to mitigate the damage. Repeat offenses or failure to cooperate with the supervisory authority can substantially increase the fine.

How quickly can a medical practice switch to a digital solution like SendMeSafe?

The transition can be completed within a single day. SendMeSafe requires no software installation on practice computers and works through any modern web browser. Setting up a practice account takes only a few minutes. The practice team can immediately begin creating secure upload links for patients and referring physicians and sending documents via encrypted share links. A brief training session of 30 to 60 minutes is typically sufficient for all staff members to use the system confidently. The ongoing costs are a fraction of the potential expenses from even a single data protection incident.