Confidentiality & Workplace Privacy — Compliance Scenario

A Colleague Told Me About Their Cancer Diagnosis in Confidence. I Mentioned It to One Person. Now the Whole Team Knows. What Went Wrong?

A real workplace compliance scenario — with three decision options and the right answer.

The Situation

A colleague, David, quietly told you last Friday that he had just been diagnosed with cancer and would need to take some medical leave in the coming months. He said he wasn’t ready to tell the team yet — he wanted to process it first. You felt terrible for him and mentioned it to one trusted colleague, thinking it might help the team be more patient with David if his work slipped. By Monday morning, three other colleagues had approached David to express their sympathy. He hasn’t told anyone. He’s visibly shocked and upset. He comes to you directly.

Choice ATell one trusted colleague. The intent was to help David by making the team more supportive. One trusted person doesn’t constitute gossip — it was said with good intentions and kept within a small circle.

Choice BKeep David’s information completely private and respect his explicit request not to share it until he is ready. If you were concerned about the team’s response to his work performance, speak to your manager without disclosing the medical details.

Choice CAsk David’s permission first before saying anything to anyone — and if he said no, respect that decision completely.

The Right Call

Choice B or C — both require honoring David’s explicit request. Choice A was a serious confidentiality violation regardless of the intent behind it.

David explicitly said he was not ready to share the information. That statement created a clear obligation of confidentiality. The reason for sharing — helping the team be more understanding — doesn’t change the nature of what was done. Medical information is among the most sensitive categories of personal data in the workplace. Once shared without consent, the damage cannot be undone — and the person who started the chain is responsible for every link that followed.

Good intent doesn’t neutralize a confidentiality violation.

The impulse to help David by preparing the team was genuine. That’s exactly what makes this scenario difficult — the motivation was kind. But confidentiality obligations don’t have a good-intentions exception. The harm to David — his autonomy, his privacy, his ability to control his own story — is the same regardless of why the information was shared.

“I only told one person” is not a meaningful limit.

Information shared in confidence doesn’t stay contained by the number of people you told. Once shared, you have no control over what happens next. The colleague you trusted made the same judgment you did — that it was okay to share with one more person. That’s how private medical information becomes common knowledge before the employee has had a chance to process their own diagnosis.

Medical information carries specific legal protections.

Employee medical information is protected under the ADA, HIPAA in healthcare contexts, and various state privacy laws. Unauthorized disclosure of an employee’s medical condition can create legal liability for both the individual who disclosed it and the organization. HR and Legal take these situations seriously — not because rules are being followed for their own sake, but because the harm to the affected employee is real and documented.

Is sharing a coworker’s medical information always a policy violation?

Yes, when it was shared in confidence or without the employee’s consent. Medical information is among the most protected categories of personal information in employment. Most company confidentiality policies specifically address personal medical information, and some jurisdictions have additional legal protections that apply beyond general privacy policies.

What should I do if I’m worried about a colleague’s work performance due to a health issue?

Speak to your manager or HR about the performance concern without disclosing the medical details. You can say “I’m concerned about a colleague’s workload and whether the team is adequately supported” without revealing the reason for your concern. The medical information belongs to the employee, not to you, and is being shared for context.

What are the consequences for sharing an employee’s medical information without consent?

Consequences range from a formal written warning to termination, depending on the severity of the breach and the organization’s policy. In some contexts, particularly in healthcare organizations, unauthorized disclosure of medical information can also create legal liability. The affected employee may also have grounds for a formal complaint or legal action, depending on jurisdiction.

How should I respond if a colleague shares someone else’s medical information with me?

Don’t pass it on — the chain stops with you. You may also want to gently remind the person who shared it that this type of information should stay private. If the disclosure seems serious — for example, medical information is being shared widely in ways that could affect the employee’s standing — report it to HR.

How to Use This Scenario in Training

Confidentiality and Code of Conduct training establishes the policy. This scenario makes it stick.

Xcelus recommends this scenario for all employees as part of a workplace privacy or Code of Conduct reinforcement program. It works particularly well deployed shortly after a foundational confidentiality course — the specific medical information context makes the policy principle concrete and personal in a way that abstract policy language cannot.

More Compliance Scenarios

Want the Full Confidentiality Training?

Scenario-based training that helps employees recognize when sharing personal information crosses the line — including the situations where good intentions don’t change the compliance outcome.

View Compliance Programs →
Contact Xcelus