What Are My Rights After A GP Surgery Data Breach?

Welcome to this guide covering what you could do after a GP data breach.If you’ve been psychologically harmed by a GP surgery data breach, you may be wondering whether there’s anything you could do about it. A GP breach of data protection could, after all, have caused you anxiety, data breach distress and may have even caused you to lose sleep.

What are my rights after a GP surgery data breach guide GP data breach

What are my rights after a GP surgery data breach guide

You may already know that if you’re affected financially by a breach of your data protection rights in the UK, you could be eligible for compensation. But did you also know that you could claim for the emotional harm a breach causes too? We have put together this guide to help you if you’ve suffered distress, anxiety, or any other psychological injuries due to such a breach.

I Suffered A Psychological Injury After A GP Surgery Data Breach, What Are My Rights?

In the sections below, we give you an insight into the laws that protect your personal data. We explain what your data protection rights are, and how a GP surgery could breach them. In addition to this, we explain the reason you could claim for psychological injuries and give you some insight into guideline payout amounts for such injuries.

Whether a GP breach of data protection happened by accident or was the result of malicious behaviour or negligence, we’d be happy to help you with your claim. We could offer you a free, no-obligation eligibility check, answer your questions and even refer you to a No Win No Fee data breach lawyer to help with your claim. If you’d like to speak to our team, simply call 0800 073 8801, and we’ll be happy to help you.

Select A Section

A Guide To Personal Data Breach Claims Against A GP Surgery

To provide you with healthcare, a GP surgery would need some of your personal data. Patient records contain lots of personal data, as well as sensitive medical information about any illnesses or injuries you might have and the treatment you’re receiving.

In order to comply with data protection law, including the GDPR and the Data Protection Act 2018, a GP surgery would need to take steps to protect that data from being breached. But sometimes things can go wrong. If they have, this guide could help you learn what to do if the GP breach of data caused you to suffer financial or emotional harm.

A GP surgery data breach could happen due to the surgery’s negligence in taking steps to protect your data. It could also happen due to a malicious act, such as a hack, virus or DDoS attack. Or you might suffer a data breach if a GP surgery employee sends your data accidentally to someone else.

No matter how the GP privacy breach of data protection happened, it could have a number of unwelcome results. Someone could exploit your data and sell it on, hold it for ransom, or delete it, for example.

Some GP data breaches could damage your reputation or cause you emotional harm. Under data protection law, a data subject has the right to claim compensation for the damage they suffer due to a failure in GDPR compliance by any organisation.

How This Guide Could Help

If you’re wondering what to do if a GP data breach happens to you, this guide could give you the information you need to begin a claim for compensation. Below, we explain how a data breach could happen and give an example of the enforcement action the Information Commissioner’s Office could take against an organisation that breaches the protection of personal data.

We also give you an insight into how solicitors and courts could calculate compensation for such a case, and what steps you could take to get the compensation you deserve.

What Personal Data Could A GP Surgery Hold About Me?

Patient medical records could contain a variety of personal information. They may contain:

  • Your contact information, such as your name, date of birth, contact details, email address, and location details.
  • Financial data: If you pay for treatment, a GP surgery could have some of your financial information such as your credit card details or bank details.
  • Special category data: This could include information on your ethnic origin, health data, biometric information and sexual orientation, for example.

Depending on the nature of the breach and the type of data that is breached, it could cause you both non-material and material harm. If you’ve suffered financial loss or emotional harm from a GP surgery data breach, you could claim compensation for both or either.

What Is A Personal Data Breach Claim Against A GP Surgery?

When a GP surgery processes, stores and collects your personal information, this could make them a data controller. As a data controller, your GP surgery should abide by data protection legislation, including the Data Protection Act 2018; legislation that enshrines in law the UK’s application of the world’s strictest data security/privacy law, the GDPR. Under this legislation, GP surgeries, just like other data controllers, should abide by the following principles:

  • Accountability: GP surgeries should demonstrate GDPR compliance.
  • Confidentiality and integrity: GP surgeries should have data security measures in place to protect personal data.
  • Accuracy: They should also make sure all data is regularly updated to ensure its accuracy.
  • Fairness, lawfulness and transparency: Collection, storage and processing of personal data should be done lawfully, fairly and with transparency towards data subjects.
  • Purpose limitation: Data should only be used for specified purposes.
  • Minimisation of data: Only the minimum data needed should be processed.
  • Storage limitation: A GP surgery should only store personal data for the minimum period needed.

An organisation that fails to comply with data protection law could face investigation from the Information Commissioner’s Office, a public body that upholds the data rights of individuals. Those that suffer a data breach could be placed on the ICO breach register, and may even have to pay ICO fines.

What Constitutes A GP Surgery Data Breach?

The ICO describes data breaches as incidents leading to personal data being subject to unlawful or unauthorised:

  • Alteration
  • Deletion
  • Transmission
  • Disclosure
  • Access

How Could Data Breaches Happen?

Such breaches could happen in a number of different ways, for example:

  • Malicious cyber attack: A cyber criminal could find out what parts of a GP surgery’s computer systems are vulnerable. They could then launch an attack on cloud databases, or even through a VPN (virtual private network). Once they’ve gained access to computer systems, they could use spyware, malware, ransomware or other types of cyber attack.
  • Staff mistakes: A GP surgery data breach could also happen because a member of staff makes an error. They could accidentally have sent your data to someone who shouldn’t have seen it. Or, they may even have left a filing cabinet unlocked which contained personal data, allowing someone to gain unauthorised access.
  • Negligence: There are various types of cyber security protection a GP surgery could employ, such as a firewall, or other software. If they fail to adequately protect your information, this could lead to a data breach.

Whether your data breach claim relates to a phishing attack, malware, an employee error or negligence, we could assess your case to see if you could claim. We’d be happy to help you by providing you with a data breach solicitor who could fight for the compensation you deserve.

How common are GP surgery data breaches?

We do not have figures as to how many data breach incidents have affected GP surgeries specifically. However, we can tell you that according to the ICO figures for Q2 2021/22 healthcare saw the highest number of breach incidents in this period. Below, you can see what other sectors were affected.

GP surgery data breach statistics graph


Within the health sector, we can reveal that 435 data breaches were reported in Q2 2021/22. Of these, only 33 were cyber related. The others were not. The figures do not specifically break down the reasons for the healthcare sector’s causes of data breaches. However, the most common cause of breaches across all industries was people’s information being sent to the wrong person via email. Unauthorised access, Ransomware and Phishing also were common causes of breaches.

What Should A GP Surgery Do If They Have Had A Medical Records Data Breach?

There are several things a GP surgery should do if they suffer a breach of data protection. They should have a process through which they assess potential data breaches. As part of this assessment, they need to identify whether a breach risks the freedoms or rights of any data subjects. If there is a risk, they must inform the data subjects, and they must inform the ICO within 72 hours.

The information they should try to include in an ICO data breach report includes:

  • What kind of breach occurred
  • How many individuals and records were impacted
  • The data protection officer’s contact details, or details of the relevant contact
  • What consequences there could be
  • A description of the measures the organisation will take or has taken to rectify the problem

If there is no risk to the freedoms and rights of data subjects, the organisation doesn’t need to make a data breach report to the ICO. However, they do have to keep records of all breaches.

Examples Of Action Taken By The ICO Against A GP Surgery

If you’re wondering does the ICO enforce GDPR, the answer is yes. It also enforces other data protection legislation such as the Freedom of Information Act and the Data Protection Act 2018. Under the UK GDPR, the ICO has the power to fine organisations up to a maximum of £17.5 million or 4% of the organisation’s global annual turnover.

The Doorstep Dispensaree Breach

In 2019, Doorstep Dispensaree received a fine of £275,000 for a breach of data protection. The fine was issued due to the organisation’s failure to protect special category information. According to the ICO, the organisation left approximately 500,000 records in unlocked containers. These were found on the organisation’s premises and contained NHS numbers, medical information and name and address details.

Does The ICO Help You Claim?

The ICO can issue fines for those who they find have breached data protection law. However, they do not help claimants get compensation, nor do they pay it.  While you can raise a complaint to the ICO, and they could act against the organisation, you would have to make your own claim towards an organisation that breached your data. You do not have to have reported your breach to the ICO to make your claim. Instead, you could contact a solicitor and get them to help you or you could try to raise a claim on your own. There are many reasons why claimants choose to work with solicitors on their claims, and we would be happy to explain these to you over the phone.

When Could You Claim If The GDPR Is Breached?

To claim for a GP surgery data breach, a claimant would need to evidence:

  1. A breach of your data rights had taken place
  2. There was fault (wrongful/negligent action or inaction) on the part of the organisation
  3. Your data was exposed
  4. You suffered emotional or financial harm because of the incident

You should submit your claim within the limitation period (6 years for breaches of data; 1 year for breaches involving public bodies).

What Are The Data Protection Rights?

If you’re wondering what your data rights are, in certain circumstances, they include the right to:

  • Data portability
  • Erasure of your data
  • Access to your data
  • Restrict the processing of data
  • Rectification of your data
  • Be informed
  • Object to the use of your data

You also have some rights relating to automatic decision making and profiling.

Does My Case Need To Go To Court?

You may not necessarily have to have your case heard in court to claim compensation. If you approach the surgery directly, they could offer you compensation. If they do not accept your request for compensation, you could find a No Win No Fee data breach solicitor who could help you negotiate a settlement, either out of court or through the courts, depending on your case. We could introduce you to a data breach lawyer to help with this.

What Evidence Do I Need For A GP Surgery Data Breach Claim?

You would need evidence to make a claim for GP surgery data breach compensation. Evidence that could be useful in helping you prove your claim could include:

  • A copy of the data breach complaint you’ve sent to the surgery
  • The surgery’s response to your report (if one exists)
  • The surgery’s notification that you were the victim of a data breach
  • Any evidence of the breach itself
  • Any documents that evidence the financial impact of the breach
  • A medical report, if you intend to claim for psychological or psychiatric injuries

If you’d like to know what evidence could be useful for your specific case, why not call our team. We’d be happy to answer your questions and get you the help you need.

GP Surgery Data Breach Compensation Calculator

Claimants could be eligible for compensation for financial losses, but they could also claim for psychiatric or psychological injuries too. A legal precedent was set in the case Vidal-Hall and others v Google Inc [2015] – Court of Appeal. During the case, the presiding judge said that awards like those in personal injury claims for psychiatric/psychological injury should be a consideration. Additionally, you could claim psychological injury even if you didn’t suffer financial loss.

Evidence For Psychological Injuries

In terms of what evidence you’d need to claim for psychological harm, an independent medical expert would need to complete a medical assessment. They’d examine you, ask you questions and write a report that could be used to evidence the severity of your injuries and your prognosis too.

Courts and solicitors could then use this report alongside a legal publication, the Judicial College Guidelines, to hone in on a value for your injuries. Below, you will see a table containing figures from this legal publication. This could give you some insight into guideline payout amounts for this type of injury.

Psychiatric/ Psychological Injury TypeJCG Compensation GuidelinesSeverity
Cases that involve post-traumatic stress injuries/PTSD£56,180 to £94,470Severe
Cases that involve post-traumatic stress injuries/PTSD£21,730 to £56,180Moderately severe
Cases that involve post-traumatic stress injuries/PTSD£7,680 to £21,730Moderate
Cases that involve post-traumatic stress injuries/PTSD£3,710 to £7,680Less severe
Psychological injuries in general£51,460 to £108,620Severe
Psychological injuries in general£17,900 to £51,460Moderately severe
Psychological injuries in general£5,500 to £17,900Moderate
Psychological injuries in general£1,440 to £5,500Less severe

Examples Of What Material And Non-Material Damages You Could Claim

Earlier in this guide, we mentioned that you could claim for both material and non-material damages in a GP surgery data breach claim.

  • Non-material: These are damages that could include the psychological injuries illustrated above.
  • Material: These are the quantifiable financial expenses associated with a data breach. They could include the cost of any monies stolen from you and the financial expense of identity theft, for example.

If you don’t know what damages you’d be able to claim, we could help you, We would be glad to assess your case to see what compensation you could claim.

No Win No Fee Personal Data Breach Claims Against A GP Surgery

Some claimants may want to take advantage of the benefits of using a lawyer to make a data breach claim. However, they may worry about how much it costs to do so. There is a way in which you wouldn’t have to pay upfront fees, and still use a solicitor for your claim. No Win No Fee data breach claims could allow the victim of a data breach to use the services of a data breach lawyer without paying solicitor fees until the end of the claim.

Instead, claimants would sign an agreement that promised pay their data breach solicitor a small, legally capped percentage of their total payout, known as a success fee. The lawyer would deduct this from the compensation payout.

No Win No Fee Claims Explained

The process of claiming under No Win No Fee terms generally works as follows:

  • You would receive a No Win No Fee agreement, which your lawyer would send to you. By signing the agreement, you’d be agreeing to pay the success fee if your claim resulted in compensation.
  • Once you return the signed agreement, your data breach lawyer would start to work on your claim.
  • They would negotiate with the GP surgery or its representatives for a settlement. If required, they could also file legal paperwork with the courts so that your claim could be heard there.
  • Once your compensation settlement comes through, your solicitor deducts the agreed success fee. You would then benefit from the balance.
  • If your case isn’t successful, you wouldn’t need to pay the solicitor fee at all.

You might be interested to read our guide on No Win No Fee claims. Alternatively, if you have questions, please don’t hesitate to call us. We’d be happy to talk to you.

Contact A Data Breach Claims Advisor

Are you ready to begin a GP surgery data breach claim or do you have further questions you’d like us to answer? Either way, we’d be happy to assist. You can reach our friendly team of expert advisors:

FAQs On GDPR Data Breach Claims

What Does GDPR Mean For GP Surgeries?

GDPR means that GP surgeries must take steps to ensure they protect the privacy and security of personal data relating to data subjects including patients, staff and other people whose personal data they collect, store or process. A failure to do so could mean they risk enforcement action, such as fines, and they could also have to pay compensation to victims of data breaches.

How Much Does The NHS Pay For Data Breach?

The NHS does not pay a set amount for a breach of data. Each claim would be assessed on its own merits. A data breach solicitor could help you fight for the maximum compensation possible for your case.

Can I Sue The NHS For Breach Of Confidentiality?

If they have breached the confidentiality of your personal data, and you have suffered financial or emotional harm, you could sue the NHS. However, you would need to demonstrate that you’d attempted to rectify the issue with the NHS before filing legal paperwork.

Can I Claim Compensation For A Data Breach?

If you suffer emotional or financial harm from a data breach and you can prove this, you could claim compensation. While you do not legally need a data breach lawyer to help you, many claimants prefer to have a legal professional put together their case and negotiate compensation on their behalf.

Related Guides

Guide To Data Breaches – NSCS: The National Cyber Security Centre provides information on what action a person could take if they have suffered a data breach.

Results Of The Cyber Security Survey: You can read about how many organisations have reported data breaches, and other information relating to breaches in the government’s survey.

Data Protection Gov.uk: You can read the government’s guide to data protection here.

Stress Claims: If you’re suffering from stress relating to a work data breach, this guide could give you some insight into making claims for stress.

Anxiety Compensation: Claiming compensation for anxiety? This guide could give you some useful information.

Are There Potential Pitfalls To Suing An Employer?: If you’re worried about what claiming against an employer could mean for you, this guide could offer some reassurance.

Other Guides That May Be Useful

Thank you for reading out guide to making a GP surgery data breach claim.