Dental AI guide

Someone Pasted Patient Data Into ChatGPT — What Now?

Sooner or later it happens. A calm, prepared first response — not panic, and not pretending it didn't happen — is what protects the practice and the patient.

At some point a staff member will paste patient information into a public AI tool, or a tool will be found doing something it shouldn't. What protects the practice is a calm first response prepared in advance — not panic, and not hoping it didn't matter.

No patient data required. Use these guides for practice workflow education, not patient-specific advice.

The worst time to work out what to do about an AI privacy incident is during one. Decide the steps now, while it's calm.

This is general educational material for dental practice owners and staff, not legal advice. It is a first-response guide, not a substitute for qualified privacy or legal advice when an incident occurs.

Two privacy laws apply in NSW. As well as the Commonwealth Privacy Act 1988 and its Australian Privacy Principles (APPs), dental practices in NSW are also bound by the NSW Health Records and Information Privacy Act 2002 (HRIP Act) and its Health Privacy Principles (HPPs). Read the considerations here against both. General information, not legal advice.

Why this matters

If staff use computers, this will happen eventually — a name pasted into ChatGPT to draft a letter, a patient list dropped into a tool to "tidy it up", an AI feature found to be storing data offshore. The damage is usually made worse by two reactions: panic, or pretending it didn't happen. A short, prepared process avoids both.

This connects to the extraction cycle: once data has left the system, the question becomes what to do about the copy that's now out there.

First response — the steps

Work through these calmly. Identifying an incident is not the same as declaring a breach — it is gathering the facts so the right people can decide.

  1. Identify what was involved. What information (names, health details, images, contact details)? Which tool? Which patient(s)? Roughly when?
  2. Contain it. Stop the workflow. Where possible, delete the content from the tool, clear its history, and stop any sync. Change a password or revoke access if an account was involved.
  3. Document it factually. Write down what happened, when, who was involved and what data — a plain record, not blame. This record matters later.
  4. Escalate. Tell the practice owner / privacy officer straight away. One person should own the response.
  5. Assess whether it may be notifiable — with help. The Notifiable Data Breaches scheme can require notifying affected people and the regulator for serious breaches. Do not self-assess the threshold. Whether an incident is an "eligible data breach" is a legal assessment — get qualified privacy/legal advice promptly.
  6. Act on advice without delay. If notification is required, the scheme has timing expectations — move on advice quickly rather than sitting on it.
  7. Close the loop. Update the staff AI policy and training so the same thing doesn't recur. Most incidents point to a gap that's easy to fix.

Also in the full guide

  • Two things not to do
  • Be ready before it happens

Optional — get a customised version

Request the version adapted for your practice

The guide above is free to read and download. If you would like a version tailored to your practice workflow, leave your details below. Use practice-level details only. Do not include patient names, treatment details, clinical notes, X-rays, invoices or identifiable emails.