How Much Medical Data Breach Compensation Can I Claim?

Today, medical records such as details of appointments, test results, diagnosis and prescription records are all stored digitally. Medical data breaches could expose your sensitive medical records and information. If your medical and health data has been compromised, you could make a medical data breach compensation claim.

In our guide to medical data breach claims, we explain what you need to know about seeking compensation. We begin by setting out what medical data breaches are, and when you could seek compensation. Next, our guide sets out how compensation may be calculated. Following this, you can find information on what is classed as medical data and how such a breach could occur. Finally, we take you through the steps you can take, how to start a claim and how to get help from our team.

Whether your medical information has been impacted by a malicious attack or human error, our team could help you to understand your rights. Our advisors are ready to help you and if they think you have a claim, could connect you to one of our specialist data breach solicitors.

Speak to a team member today by:

  • Calling one of our dedicated advisors on 0800 073 8801.
  • Clicking here to start a claim online.
  • Tell us about the compromise of your personal data using our online chat.

An image shows a card which says 'health data' next to a stethoscope.

Pick A Section

Am I Able To Claim Medical Data Breach Compensation?

You could seek medical data breach compensation if you can show that your data has been exposed in a breach due to a data controller or processor failing to comply with relevant data protection laws.

A personal data breach may occur where there has been the disclosure, loss, unauthorised access to, alteration or destruction of a patient’s personal data.

Healthcare providers, whether the NHS or private healthcare providers, must safeguard patients’ personal data.

Data processors and data controllers must comply with the Data Protection Act 2018 (DPA) and the UK General Data Protection Regulation (UK GDPR) when handling personal data.

  • A data controller determines (in accordance with the DPA and UK GDPR) how personal data may be used.
  • A data processor carries out data processing on behalf of the data controller.

Data processors and controllers may be the same or different parties. You could claim compensation where:

  1. A data breach occurred because a data controller or processor failed to act in line with data protection laws.
  2. The breach involved your medical data.
  3. This caused you financial loss and/or psychological distress.

Speak to one of our advisors about the eligibility criteria that medical data breach claims must meet.

The Average Medical Data Breach Compensation Amount

Whilst there may be an average amount of medical data breach compensation awarded in claims, this figure may not be helpful when considering what you could claim. For example, where a claimant experienced severe psychological damage, they could be awarded between £66,920 and £141,240 in compensation. However, other factors, such as therapy costs may affect the overall value of the settlement.

Each and every compensation claim is assessed on its own, unique, merits. This means that when determining how much you may be awarded the unique circumstances and impact the breach has had on you will be taken into account.

The figure above, and those below in our table are taken from the Judicial College Guidelines. This is a document which may be used when working out how much a claimant may be awarded. We should note that the headline figure has not been taken from the JCG.

InjurySeverityNotesCompensation
PTSD or psychological damages + material damage.Severe.A severe degree of PTSD or psychological damage + material damage.Up to £500,000+ with material damage, such as awards for lost earnings.
Psychological damage.Severe - AThe claimant suffered marked problems in many aspects of their life.£66,920 to £141,240.
Moderately Severe - BWhilst similarly impacted, this person has a more optimistic prognosis.£23,270 to £66,920.
Moderate - CThe claimant will markedly recover.£7,150 to £23,270.
Less severe - DThe extent of any disability and its duration are taken into account.£1,880 to £7,150.
Post-traumatic stress disorder (PTSD)Severe - AThe claimant suffers permanent impacts which stop them working (either as they did before or totally).£73,050 to £122,850.
Moderately Severe - BThis claimant has a more optimistic prognosis.£28,250 to £73,050.
Moderate - CThe claimant has largely recovered and has not had any effects which are grossly disabling.£9,980 to £28,250.
Less severe - DThis person will have or will fully recover.£4,820 to £9,980

How Is The Amount Of Compensation Determined?

Compensation amounts may be determined by assessing both non-material damage and material damage. Compensation may consider the nature and severity of the personal data breach (including what information has been impacted) as well as the impact this has had or will have on the claimant’s life. The claimant’s recovery process and degree of recovery already experienced or anticipated to be made may also be taken into consideration.

  • Non-material damage – psychological or psychiatric harm caused by the data breach. This may include conditions affecting a person’s mental health, such as anxiety and stress. In more severe cases, it may also include post-traumatic stress disorder or severe psychological harm which leaves a claimant feeling suicidal after a data breach. The degree of distress suffered and the duration of this distress may all be taken into account, as well the degree of recovery.
  • Material damage – this encompasses financial losses which are directly caused by the breach. These are explored below.

Non-material damage may be calculated by referring to guidelines published by the JCG, as noted above. How much compensation you may be owed will depend on the individual circumstances of your claim.

What Else Can Medical Data Breach Compensation Cover?

As highlighted above, medical data breach compensation can also cover financial losses which were caused by the breach. The leaking or otherwise exposure of medical information may lead to discrimination. For example, the exposure of sexual health information or mental health records could cause someone to be discriminated against.

In addition, whilst all healthcare service providers may hold a very wide range of health information, private healthcare providers may also hold financial information, such as credit and/or debit card details.

Financial losses may include:

  • Income lost due to taking time off work whilst dealing with the effects of this compromise of your personal data.
  • Relocation expenses, if the breach caused you to have to move home due to security and safety fears.
  • Home security costs, again due to safety fears.
  • Therapy or other mental healthcare costs, to treat any resulting conditions.

You must provide evidence which shows how you have been financially affected by the breach. You may supply copies of bank statements, invoices or other proof of loss.

Whether you suffered financial losses or psychological harm, such as anxiety, due to a data breach you could claim compensation. Speak to us to begin your claim.

An image shows a keyboard with a button saying 'medical data breach' on it.

What Is Classed As Medical Data?

Data concerning health is defined in Article 4 15) of the UK GDPR as personal data which relates to a person’s mental or physical health.

The provision of healthcare services and information regarding a person’s health status are included within this provision. Data concerning a person’s health is categorised as special category data. This means that it is considered to be more sensitive and afforded greater protection. Genetic & biometric data as well as data concerning someone’s sexual orientation and sex life may all be considered special category data.

Examples of what is classed as medical data include information on:

  • Patient data including your medical history, diagnosis of injury and/or disease, disability and/or disease risk, medical opinions and medical treatment provided.
  • Medical records including test results as well as data from medical devices.
  • Registration information, including personal information such as your name, address and contact information.
  • Your NHS (or equivalent) patient number.
  • Financial records such as records of treatment paid for, invoices and details of any payment methods retained on file.

Speak to a member of our advisory team to find out how to claim compensation if you have been affected by a personal data breach.

How Could A Breach Of Medical Data Occur?

There are a variety of different ways in which medical data breaches happen. A breach of medical data could occur due to human error or other forms of cybersecurity breaches.

These include:

  • Phishing attacks involving emails designed to capture and steal patient data.
  • Other parties impersonating a healthcare organisation in an email or online.
  • Viruses targeting an organisation’s devices.
  • Others take over a website or email/ social media accounts.
  • Malware or ransomware targeting organisations’ devices.

Human error could lead to a medical or clinical data breach where:

  • Unauthorised access to patients data, e.g. medical staff accessing patients records without any lawful basis for doing so.
  • Medical data stored electronically or physically is stolen or lost.
  • Medical data is sent to the wrong recipient (a misdirected communication), e.g. a sexual health clinic sends a letter containing test results to the wrong postal address.

These are some examples of how medical data breaches could occur. This underscores the need for healthcare providers to adhere to data protection legislation.

These and other security threats highlight the need for strong protection of patients’ medical data. Our solicitors include experts in data breach compensation claims who could help and advise you. Contact us for further information on medical data breach compensation claims.

An image shows a stethoscope and clipboard containing a patients medical records.

What Should I Do If My Medical Data Is Breached?

If your medical data is breached, there are several steps you can take. If a data breach occurs, a data controller should notify the Information Commissioner’s Office (ICO) of the breach. The ICO upholds data protection laws. You should also be notified. The notification should contain information on the breach, what data may be affected and steps the organisation is taking.

If you have not received a notification letter, you should contact the organisation and request the above information from them. Further, the National Cyber Security Centre recommends individuals:

  • Be alert for any suspicious communications, such as text messages, emails, letters or phone calls.
  • Monitor online accounts, such as medical portals.
  • Monitor connected financial accounts, such as any bank accounts or credit cards you provided payment information for.

In addition, claiming data breach compensation can help you secure a payout for the impact of a compromise of your personal data. You must also collect supporting evidence. This may include:

  • The data breach notification letter – this and any further official communication from the data controller. This should include information on how your medical data has been impacted.
    Your medical records – these should show how you have been impacted, such as through anxiety, stress or other psychological impact.

One of our solicitors could help you claim compensation for a breach of NHS or private healthcare data. Contact us to begin your personal data breach claim.

Get Help From Accident Claims

You can get help from Accident Claims UK. Our team understands the impact that medical data breaches could have on claimants. An advisor can help you to understand how the data breach claims process works, and if they think you have a claim, could connect you to one of our solicitors.

Our solicitors are experts in personal data breach compensation claims, with decades of combined experience. To date, they have helped people claim over £80 million in compensation. They can take on claims from people across the country.

Our No Win No Fee Data Breach Solicitors

Our solicitors can often take claims on through a type of No Win No Fee agreement, called a Conditional Fee Agreement (CFA).

By using a CFA to offer their services, you would be charged a success fee only if your case is won. The success fee is a set percentage of the compensation which is deducted by the solicitor. The percentage deducted will be agreed in the CFA and there is a legal cap on what may be charged. This also means your solicitor doesn’t charge a fee for their services when your claim commences or while it is ongoing. There also isn’t a solicitor’s fee to pay if your case is not successful.

Contact us today to discuss how our data breach solicitors could help you.

a data breach solicitor explains how much compensation a claimant could recieve.

More Information

Here you can find more information relevant to data protection and compensation claims.

Reference materials:

We hope our guide to claiming medical data breach compensation was helpful. For further information on how we can help those impacted by data protection breaches, please call our team.