The ACT government has sacked one employee and stood down two others as it investigates what it says is a "serious" and "deliberate" misuse of patient data.
Canberra Health Services (CHS) revealed this week that staff had sent the clinical records of 13 mental-health patients to an "industrial partner", which the government has refused to name.
CHS chief executive Dave Peffer said he became aware of the alleged privacy breaches last month, which had occurred over several years.
Today, Mr Peffer said his agency — which operates public hospitals, walk-in clinics and community health services — had sacked one employee and stood down two others.
The suspended staff have been placed on paid leave while the ACT's public sector standards commissioner investigates their conduct.
"When something like this happens, we move as quickly as we can," Mr Peffer said.
"Within our organisation, we take this incredibly seriously.
"It has sent a shock wave through our service."
He said health executives had contacted the 13 affected mental health patients to explain what happened and to support them.
The ACT government also alerted police as well as federal authorities responsible for human rights, privacy and health regulation.
Mr Peffer said CHS "apologised unreservedly" to the patients, and added that his organisation was "very conscious and aware of the trust that's put in us each and every day".
The government said the unnamed entity that received the confidential data was not a health insurance fund.
However, it would not provide further information, saying police would be dealing with the matter.