When you go to the GP, a hospital or other medical professional, you reasonably expect that your medical records will remain safe and secure. A person’s medical history should remain confidential unless there are exceptional circumstances or another lawful basis that allows for its disclosure. Sadly, this is not always the case, and your personal data can be breached.
This guide about a medical records data breach will cover when you could be entitled to recover compensation. We will start by looking at how a medical data breach might happen and move on to how to know if such a breach has happened to you.
Whilst compensation can not undo the data breach, we will tell you how it is calculated for this type of case and how the expert solicitors from our panel can help you claim it. We also discuss the benefits of using a No Win No Fee solicitor to bring your claim.
As you consider our guide, you can reach out to an advisor at any point. We offer a free, no-obligation case assessment and can tell you quickly if you have a potential claim for data breach compensation. To reach us, you can:
- Call us on 0800 408 7825
- Interact with the live chat on screen
- Contact us with this form
Choose A Section
- Can I Claim For A Medical Records Data Breach?
- How Can Medical Data Breaches Happen?
- How Do I Know If I’ve Suffered A Medical Data Breach?
- What Data Breach Compensation Could I Receive?
- How Do I Report A Medical Records Data Breach To The ICO?
- Why Make A No Win No Fee Claim For A Medical Data Breach?
- More Resources About Claiming For A Data Breach
Can I Claim For A Medical Records Data Breach?
Two pieces of legislation protect data rights and apply to a medical records data breach in the UK, which are the Data Protection Act 2018 (DPA) and the UK General Data Protection Regulation (UK GDPR).
By sharing your personal information with a third party, you are a data subject. Personal data is a term used to describe data that could be used to identify you, e.g. your name, address or email. Naturally, you will share some personal data with medical professionals. They then have data protection responsibilities under the DPA and UKGDPR.
You will also share data of a more sensitive nature, called special category data, with medical professionals. This medical data includes your medical records.
The Information Commissioner’s Office (ICO) is an independent body responsible for the enforcement of data protection legislation and can hand out significant fines to organisations that breach data protection laws. They identify two main parties who process our personal data, namely data controllers and data processors.
A data controller defines the purpose for the data collection, and processors could be appointed to process the data on their behalf. Both controllers and processors of personal data must comply with the DPA and the UKGDPR.
The ICO defines a personal data breach as the loss of availability, confidentiality or integrity of personal data. It could be the case that your data is lost, altered or shared with unauthorised third parties.
You could claim damages following a personal data breach if you meet the criteria to do so.
What Is The Criteria To Claim?
To make a medical records data breach claim, you must be able to show:
- That a data breach happened due to the failure of a controller or processor to fulfil their DPA and UKGDPR obligations (referred to as wrongful conduct). For example, the data controller could be your GP. They could instruct an external processor to process it on their behalf. However, the GP surgery may also process the data themselves.
- This failure compromised your data
- You were harmed emotionally or financially as a result.
Whilst a personal data breach of your medical records can cause you significant distress, it is important to remember that you must meet the criteria to be able to claim. It may be that the data controller or processor did their best to protect your data, but it was breached regardless.
There are also a limited number of circumstances when medical records are allowed to be disclosed to others, such as when it is in the patient’s best interests or ordered for disclosure by a court.
To see if you might be eligible to make a claim for a personal data breach, you can contact an advisor today.
How Can Medical Data Breaches Happen?
Let’s look at some circumstances that could give rise to a strong data breach claim following a breach of medical records:
- Your GP is ordered to disclose your medical records during court proceedings but they post them to the wrong address.
- An NHS psychiatrist leaves his laptop in a public place, and someone gains access to your treatment notes. This could lead to an NHS data breach compensation claim.
- Sensitive information from your medical records is disclosed without your consent, e.g. your doctor tells an unauthorised person details of your sexual abuse contained in your medical notes. The data breach causes you to suffer depression.
- Your medical test results are sent to the wrong email address.
- Your medical professional has outdated and weak cyber security. A cyber attack is made, and your medical records are made public, causing you great distress.
What Are Examples Of Patient Data Breaches?
Here are some examples of personal data breaches from the ICO’s website to show how these types of cases can happen:
- November 2022 – A former NHS secretary was found guilty of illegally accessing medical records that she was not authorised to view. This affected over 150 people.
- August 2022 – A former health advisor unlawfully accessed the records of 14 patients. This caused one of the victims to feel worried and anxious, whilst another was put off from going to the doctor.
- April 2024 – The ICO fined The Central Young Men’s Christian Association for emailing people in a programme for people living with HIV whilst using ‘CC’ and failing to use ‘BCC’. 166 individuals could be identified or potentially identified from their email address. As a result, it could be inferred that these individuals were likely to be living with HIV.
There are other ways a medical record data breach could occur and result in a claim. To check your own individual circumstances you can contact us. There is no obligation to go further than an initial conversation.
How Do I Know If I’ve Suffered A Medical Data Breach?
If a healthcare professional has suffered a data breach that is likley to result in a high risk of adversely affecting an individual’s rights and freedoms, then those affected should be told without undue delay.
It may be the case that you suspect that you have been the victim of a data breach but have not been notified. The best course of action is to ask the medical professional in question if there has been a data breach. You can always complain to the ICO if you receive an unsatisfactory response.
To bring a claim for damages following a medical records data breach, you will need evidence to prove your claim. This can include:
- Correspondence between you and the third party that controlled or processed your data. This could establish how the data breach occurred.
- Medical records or reports that detail any psychological injury you suffered as a result of the data breach.
- Bank statements or wage slips (to help claim loss of earnings)
To discuss any aspect of making a data breach claim, reach out to an advisor.
What Data Breach Compensation Could I Receive?
A successful data breach claim can compensate you for two types of harm.
Psychological injury or harm caused by a data breach is called non-material damage. This includes pre-existing conditions that have worsened due to the data breach. For example, a data breach could exacerbate your anxiety.
To calculate the compensation for psychological injuries, an independent medical report can be obtained. This will detail the injury and give a prognosis. This can be used alongside the Judicial College Guidelines (JCG) to help value the injuries.
The JCG contains a range of different psychological injuries and gives compensation guideline brackets for them. They are guidelines, and every injury is slightly different. Below is a table of injuries from the JCG and the suggested compensation bracket, except for the top row which is not from the JCG. Please only use this table as guidance.
| Injury | Severity | Guideline Compensation |
|---|---|---|
| Multiple psychological injuries and financial losses. | Serious | Up to £250,000 plus |
| Psychiatric Damage | Severe | £66,920 to £141,240 |
| Moderately Severe | £23,270 to £66,920 | |
| Moderate | £7,150 to £23,270 | |
| Less Severe | £1,880 to £7,150 | |
| Post-Traumatic Stress Disorder | Severe | £73,050 to £122,850 |
| Moderately Severe | £28,250 to £73,050 | |
| Moderate | £9,980 to £28,250 | |
| Less Severe | £4,820 to £9,980 |
You may also receive an award for material damage. This is the financial loss caused by the data breach. For example, loss of earnings or medical treatments. These losses need to be evidenced, so things like wage slips, receipts and invoices can be very useful.
To talk about the types of losses you can claim after your data breach, get in touch with us today.
How Do I Report A Medical Records Data Breach To The ICO?
You do not need to report a data breach to the ICO to advance a claim, but you may wish to do so anyway. This could potentially lead to a fine for the data processor or controller. The maximum fine from the ICO is £17.5 million or 4% of the total annual worldwide turnover (whichever is greater).
Your claim would be independent of any ICO fine, and the ICO cannot make the data controller or processor pay you damages. This is why a data breach claim is necessary.
Why Make A No Win No Fee Claim For A Medical Data Breach?
The solicitors on our panel are experts in data breach claims with years of dedicated experience. They can help you by
- Collecting evidence to support your claim
- Inviting you for an independent medical assessment
- Advising you about the potential damages you could receive
- Negotiating a settlement on your behalf
- Dealing with all court forms and paperwork if your claim does go to court (most settle before that stage).
If your case is accepted, a solicitor from our panel may offer you a Conditional Fee Agreement (CFA). This is a type of No Win No Fee agreement. It has several advantages:
- As your case begins, you do not need to pay upfront for solicitor fees
- As the claim continues, there are no fees due to your solicitor
- If the case is unsuccessful, you do not need to pay any solicitor fees
A success fee is deducted from the compensation awarded in successful claims and paid to the solicitor. This success fee is a percentage and it has a legal cap. It will also be agreed upon before the case starts. You will keep the majority of the compensation awarded.
To find out if you are eligible to work with one of the experienced solicitors from our panel:
- Call us on 0800 408 7825
- Interact with the live chat on screen
- Contact us with this form
More Resources About Claiming For A Data Breach
Hopefully, this guide about medical data breach claims has been informative. Here are some further guides that you may find useful:
- Learn how to claim if social services breach data protection laws
- When can credit card companies be responsible for a data breach
- What to do if there is a criminal records data breach
Finally, here are some external resources you might like to read:
- Learn what to do after a data breach
- Read this guide about GDPR and CCTV in the workplace
- Consider these NHS mental health services resources
Thank you for reading this guide about a medical records data breach.
