By Daniel Sisko. Last Update 1st June 2022. Welcome to our guide on medical data breach compensation. Below, we answer questions about a medical data breach, such as ‘Can I sue the NHS for a data breach?’ and ‘ What are the possible consequences on the patient and the healthcare institution if a medical records data breach has occurred?’ We also look at medical data breach compensation payouts in detail, explaining what could affect the amount of data breach compensation you could receive.
Could you claim for a medical records data breach?
If a medical data breach happens, it could affect you in a number of different ways. Depending on the data involved in the healthcare data breach, you could experience reputational damage, loss of privacy and even psychological injuries. If you have suffered financially or emotionally because of a medical information data breach in the UK, you may be wondering if there’s anything you could do about it and whether medical data breach compensation could be claimed..
I Suffered A Psychological Injury After A Medical Data Breach, What Are My Rights?This guide explains what could cause a healthcare data breach, and whether you could be eligible for medical data breach compensation. We also show you how you could find a data breach lawyer to help you under No Win No Fee terms.
A data breach could happen as the result of human error, mismanagement of your data, or it could be the result of a malicious cyberattack, such as a hack. We discuss these incidents in more detail in the below sections of this guide. In addition to this, we offer some insight into how much compensation a medical information data breach claim could bring, and what you’d need to begin a claim.
If we can be of any assistance to you, whether by assessing your eligibility to claim, answering your questions or providing you with a data breach solicitor for your claim, you can reach us on 0800 073 8801. We’d be glad to assist.
Select A Section
- A Guide To Medical Data Breach Claims
- What Medical Data About Me Could Be Held?
- What Is A Medical Data Breach Claim Against A Healthcare Provider?
- Action A Healthcare Provider Should Take If They Have Had A Data Breach
- Examples Of Action Taken By The ICO Against Medical Service Providers
- When Could You Claim For A GDPR Medical Data Breach?
- What Evidence Do I Need To Make A Medical Data Breach Claim?
- Medical Data Breach Compensation Payouts For 2022
- Types Of Material And Non-Material Damages That Could Be Awarded
- No Win No Fee Medical Data Breach And GDPR Breach Claims
- Contact An Advisor
- Medical Data Breach Claim FAQs
- Related Guides To Claiming Medical Information Data Breach Compensation
Whether a data breach occurs at your GP surgery, at a local hospital or in another healthcare setting, it can have a number of unwanted consequences. If you’ve fallen victim to a healthcare data breach and suffered material or non-material damages (including distress) as a result, you could make a medical data breach claim against the organisation that caused the data breach.
It does not matter whether a staff member accidentally sent your health data to an unauthorised recipient or your surgery was subjected to a hack or cyber attack. Both of these incidents, as well as negligence, could cause your medical data to be breached and if it has harmed you, you could claim medical data breach compensation.
This guide explores in detail the laws that are in place to protect sensitive personal information, including sensitive medical information. We describe how data breaches have happened in the past, and what action you could take if you’ve been affected by a breach.
We also discuss the reason claimants could claim for psychiatric and psychological injuries, if they suffer such injuries due to a breach of their data protection.
At the end of this guide, we answer some frequently asked questions about making claims for GDPR breaches and provide you with some further resources, as well as explaining how we could help you begin your claim.
Patient records could contain lots of very sensitive information that you would expect a healthcare provider to protect. In fact, they have a legal duty to do so under the UK GDPR and the Data Protection Act 2018. Personal data, as defined by the ICO, is information that could identify a person, either when used alone or combined with other information. It could include:
- Personal information such as your name, contact information, address, email address or location details
- Financial information such as your health insurance details or, if you pay for treatment, your credit card or bank details
- Special category data such as racial or ethnic origin, religion, genetic data, medical information, sexual orientation and biometric data, for example
No matter what type of data is breached, if your health care provider breaches your personal data, causing your financial or emotional harm, you could be eligible for compensation.
When a healthcare provider collects, stores and processes your personal data, they could be considered a data controller. As such, there are specific laws they must abide by such as the Data Protection Act 2018, which enshrines in law the UK GDPR. Under the UK GDPR, organisations, including healthcare providers must abide by certain principles when processing, storing or collecting data. These include:
- Transparency, fairness and lawfulness: Any processing, storage and collection of data must be done in accordance with the law. Organisations must process data fairly and must be transparent with data subjects.
- Purpose limitation: Organisations must identify the purpose for processing data and must limit their processing to the identified purpose.
- Data minimisation: Organisations must only use the minimum amount of data required for processing.
- Accuracy: Data controllers must ensure that personal information is up to date and accurate.
- Storage limitation: They must only store data for as long as it is needed.
- Integrity and confidentiality: Organisations must have appropriate data security measures in place to protect personal information.
- Accountability: Data controllers must demonstrate compliance.
Organisations that breach data could end up on the ICO breach register, and they could even receive ICO fines for infringements of GDPR. Victims of data breaches also have rights under the GDPR. Section 168 of the Data Protection Act 2018 allows the victim of a data breach to claim healthcare data breach compensation for non-material and material damages caused by a breach.
How Could A Data Protection Breach Of My Medical Records Happen?
A data protection breach of medical records could happen in a variety of circumstances. Examples could include:
- Malicious Acts: A healthcare provider could fall victim to a hacking. A cyber criminal could attack systems by identifying cyber security vulnerabilities. They could then launch an attack through cloud services, or through a VPN (Virtual Private Network). Once they gain access, they could use a virus, ransomware, malware or spyware to breach your personal data.
- Staff errors: Sometimes, a staff error could cause a data breach. For example, they might send sensitive information to the wrong recipient. This could also represent a medical records breach. A breach could even happen if files are misplaced, or if a failure to lock a filing cabinet containing data leads to unauthorised access.
- Negligence: If a healthcare provider hasn’t adequately protected their systems, which could involve installing appropriate cyber security software, such as a firewall for example, this could be considered a breach.
Whether your data breach involved a hacking, DDoS attack, phishing, human error or theft of computer equipment, if you suffer harm from it, you could be eligible for compensation.
There are several things an organisation could do if they have a medical records data breach. They should identify what risks a medical data breach could have towards individuals. Once they have done so, they should report a breach to the ICO within 72 hours of the breach if it risks the rights and freedoms of data subjects. They should also inform the data subjects.
The information a healthcare provider should put in a data breach report to the ICO includes:
- The nature of the breach
- Number of individuals concerned
- How many records were concerned
- The details of the data protection officer or another contact point
- Descriptions of what consequences could arise
- Explanation of measures taken or to be taken to rectify the breach
If a medical data breach doesn’t risk the rights of freedoms of data subjects, the organisation doesn’t have to report the breach to the ICO. However, it must keep its own records of the breach.
The Information Commissioner’s Office (ICO) upholds the data rights of individuals. It could investigate incidents pertaining to data protection infringements and could issue enforcement actions against those who breach data protection law.
Does The ICO Enforce GDPR?
The ICO does enforce GDPR. It could issue fines of up to 4% of an organisation’s global annual turnover, or £17.5m.
What Action Has The ICO Taken Against A Medical Service Provider?
One example of action the ICO took against a medical services provider happened in 2019. The ICO issued a fine of £275,000 against Doorstep Dispensaree when they failed to protect special category data. The incident related to the failure to secure around 500,000 documents containing personal data, which were left in unlocked containers on the organisation’s premises. The data included medical information, NHS numbers, names and addresses.
How Common Are Medical Information Data Breach Incidents?
If we look to the ICO’s website, we can view the numbers pertaining to data breach incidents in the healthcare sector. For example, in Q2 2021-22, we can see that there were 435 data security incidents reported to the ICO from the healthcare sector in this period alone. We’ve included a graph below that shows how this compares to other industries.
You might be surprised to find that the majority of healthcare data breach incident reports for this period are not related to cyber security. In fact, the most common causes of data breaches across many sectors are non-cyber related. The most common of all is when someone sends data by e-mail to the incorrect recipient. Theere are several reasons this could happen. Someone could completely mistype the email address. However, such breaches could also happen if autofill completes the end of an e-mail address incorrectly, and someone doesn’t check the recipient is correct before sending. Other e-mail data breaches could occur by way of a failure to BCC, or redact personal data when sending emailed information to a third party.
To make a claim for a data breach you’d need to demonstrate that:
- A medical provider breached your data by way of wrongdoing
- You encountered financial or emotional harm because of the medical information data breach.
It may not be necessary to take your healthcare data breach claim to court to get the compensation you deserve. If you make a complaint about a breach directly to an organisation, you could use a data breach solicitor to help you take your claim further.
If you’re looking to make a medical data breach claim, you might want to know what evidence you’d need. In general terms, you’d need to evidence the breach itself, as well as the impact it had on you. Evidence that could help to do this could include:
- A copy of a letter or email from the organisation confirming you’ve been a victim of the data breach
- Any response to your complaint
- Documents evidencing the financial impact of the breach, such as credit card bills or bank statements
- Medical evidence if you’ve sustained psychological injuries
Data breach lawyers would be able to tell you what evidence they’d need to submit as part of your claim. If you’d like us to refer you to a data breach lawyer, we’d be happy to help.
If you are considering making a healthcare data breach claim, you may be wondering what compensation you could be eligible for. There are two important cases that have set precedents relating to what compensation you could claim and when. The legal precedent set in Vidal-Hall and others v Google Inc  – Court of Appeal occurred when it was it was held that you can claim for both material and non-material damages independently of one another.
The second precedent comes from Gulati & Ors v MGN Ltd . In this case it was held that data breach claimants for psychological/psychiatric injuries receive compensation to a similar value to personal injury claims. It is important, however, to recognise that injuries must be supported by strong evidence, as we explain below.
In this section, we have included a table containing some example entries from the Judicial College Guidelines (JCG). The JCG was last updated in 2022. This publication is used by legal professionals to assist them in calculating the value of non-material damages in data breach claims.
As mentioned earlier, this is the amount that’s awarded to you in accordance with the level of pain and suffering you experience as the result of a medical data breach. Compensation can vary in value according to the severity of your injuries and any long-term effects.
Due to the fact that each personal data breach claim is unique, the figures below should only be used as guidelines. Generally, the more severely your mental health is impacted by a data breach, the more your non-material damages payment tends to be worth. The best way to receive an accurate valuation is to contact us today.
Our advisors are ready to answer any questions you may have regarding the potential value of your personal data breach claim.
|Psychological/Psychiatric Injury||Compensation Bracket||Level of Severity|
|Cases involving post-traumatic stress injuries/PTSD||£59,860 to £100,670||Severe|
|Cases involving post-traumatic stress injuries/PTSD||£23,150 to £59,860||Moderately severe|
|Cases involving post-traumatic stress injuries/PTSD||£8,180 to £23,150||Moderate|
|Cases involving post-traumatic stress injuries/PTSD||£3,950 to £8,180||Less severe|
|Psychological (General) Injuries||£54,830 to £115,730||Severe|
|Psychological (General) Injuries||£19,070 to £54,830||Moderately severe|
|Psychological (General) Injuries||£5,860 to £19,070||Moderate|
|Psychological (General) Injuries||£1,540 to £5,860||Less severe|
We mentioned earlier in this guide that a medical data breach claim could include non-material and material damages. But what could this involve?
- Non-Material Damages: These are the damages that compensate claimants for psychological injuries.
- Material Damages: These are the actual and projected financial losses a breach causes. They could relate to fraud, identity theft or monies stolen from bank accounts, for example.
If you are unsure as to what damages you could claim, we could help. We’d be happy to offer you a free eligibility assessment, and could provide you with a No Win No Fee lawyer to help you with your case.
Do you want to use the services of a data breach lawyer to make your claim? If so, you might be pleased to learn that with No Win No Fee claims, you wouldn’t need to pay such a lawyer their fee upfront. Instead, you would pay them a small percentage of your total payout at the end of your claim as a success fee.
How Could A No Win No Fee Medical Data Breach Claim Work?
- At the start of your claim, your lawyer would send you a No Win No Fee Agreement. You’d need to sign it and return it to them. The document specifies the success fee you’d pay from your compensation if your case is successful.
- When you sign and return your Conditional Fee Agreement, the data breach solicitor would be able to work on your claim. They could build a body of evidence and submit it on your behalf.
- The solicitor would negotiate a compensation settlement for you. If your case needed to go to court, they’d support you through this process.
- When your compensation settlement comes through, the solicitor deducts their success fee, with the rest being left for your benefit.
- If your case doesn’t win, you don’t need to pay the solicitor’s fee.
If you want to look in more detail about what No Win No Fee claims involve, why not chat with our team and have your questions answered over the phone.
We recognise that you may have further questions about making a claim for a breach of your data privacy. We’d be glad to answer those questions, and we could also assess your eligibility to claim medical data breach compensation for free. In addition to this, we could refer you to a data breach lawyer to begin your compensation claim. To reach our expert advisors, all you need to do is:
Can I sue the NHS for a data breach?
You could sue the NHS for a data breach if they have negligently breached your data. However, you would need to prove you’d been impacted psychologically or financially to claim medical data breach compensation from the NHS.
What are the possible consequences on the patient and the healthcare institution if a data breach has occurred?
There are several potential consequences the patient and the healthcare institution could experience if a data breach has occurred. The healthcare provider might face an investigation from the ICO and legal action could be taken against them.
For patients, a medical data breach could affect them in a number of ways. They could experience a loss of privacy. This could affect them psychologically. There could also be some aspects of a data breach that could lead to financial loss.
A medical data breach compensation claim could be something affected claimants are considering. For more information, we could assist you.
How much could I get in medical data breach compensation?
This could vary, depending on how severely you’d been affected and in what manner. Please call our team for an assessment.
What Is A GDPR Breach Claim?
A GDPR breach claim is a compensation claim made by a victim of a data breach, or their representative. A GDPR data breach claim could include compensation for the psychological effects of a breach. It could also involve compensation for financial loss.
Our team would be happy to help you get started with a data breach claim. While you do not legally need a solicitor to claim compensation, many claimants prefer to have one. Benefits could include having the legal legwork taken care of, ensuring you claim everything you’re eligible for and getting support if your case goes to court.
Am I Eligible To Sue For A Breach Of My Data Privacy?
To be eligible to sue for a breach of your data privacy, you would need to demonstrate that such a breach took place. You would also need to evidence that you suffered some kind of harm because of the breach. This could include financial or emotional harm. If you would like us to provide you with a free-of-charge eligibility assessment of your case, we’d be delighted to help you.
How Much Time Do I Have To Claim For A Healthcare Data Breach Or Medical Information Data Breach?
There are time limits in place for many different types of compensation claims. With data breaches, you’d have 6 years in which to make your claim. However, if there is a public body involved, you would only have one year. If you’d like us to help you start your claim quickly, we’d be glad to help you. All you need to do is get in contact with our team.
What affects medical data breach compensation payouts?
There are various factors that could affect medical data breach compensation payouts. For instance, you may have lost money due to identity fraud or theft caused by the breach. If so, these costs and losses could be claimable under material damages. If the medical records data breach caused you a psychological injury, you could also claim compensation for this under non-material damages.
The level of suffering you’ve experienced may need to be evidenced in an independent medical report. As part of your claim, you may be invited to an independent assessment with a medical professional, who would document their professional assessment of your injury. The results could influence the amount of data breach compensation you would receive.
Where does the information in your medical data breach compensation payouts table come from?
The figures you see in the table earlier on in this guide come from the Judicial College Guidelines, 16th edition which was published in 2022. This is a publication that provides guidance on the amount of data breach compensation that would be appropriate for different levels of psychological injury. If you would like to talk to us about compensation for a medical records data breach, we’d be happy to talk about this in further detail with you.
Does a medical records data breach have to be malicious for me to claim?
A medical records data breach does not have to be malicious for you to be able to claim compensation. As long as you could prove that the organisation acted wrongfully/negligently, causing you harm by way of exposing your data, you could be eligible to claim.
NSCS Guide To Data Breaches: The NSCS provides guidance to individuals and families in regards to data breaches. It shows people what action they could take if they believe they may have been affected by such a breach.
Cyber Security Survey: The government’s Cyber Security Breaches Survey for 2020 can be found here. It might make interesting reading for you as it explains how common data security breaches are amongst organisations.
Data Protection Explained: The government has created a guide to data protection, which you can access here.
Claims For Stress-Related Incidents: One of the consequences of a data breach could be stress, and the data breach could’ve been caused by your employer. This guide explains stress in more detail and gives some insight into claiming compensation for personal injuries.
Have You Suffered Data Breach Anxiety?: Anxiety could be something you suffer as a result of a data breach. We have created a handy guide that explores claiming for anxiety in more detail. The example included is anxiety following a car accident.
Will Suing Your Employer Cause You Problems?: If your employer has breached your data, you may worry about making a claim for compensation. This guide explores such worries and explains the reasons an employee need not fear taking action against an employer.
Other Guides That May Be Useful
- Child Adoption Data Breach Claims
- Transform Hospital Group Data Breach Claims
- Your Rights After A Virgin Healthcare Data Breach
- How Is Compensation For A Data Breach Calculated?
- Data Breach Claims Against A Law Firm
- How To Claim If Your Employer Breached The UK GDPR
- A Teacher Shared My Child’s Personal Data, Can I Claim?
- Your Rights If An Administrator Breached Your Data Privacy
- Salary Information Data Breach Claims
- Your Rights After A Customer Service Data Breach
- Can I Claim For A Recruitment Agency Data Breach?
- Can You Sue A Company For A Data Breach?
- What Are Your Rights After A Child Custody Data Breach?
- Is Revealing My Phone Number A Breach Of The UK GDPR?
- What Could You Claim For After A Gym Data Breach?
- How Do I Claim If An Accountant Breached My Data?
- Your Rights After A Wealth Manager Data Breach
- A Law Firm Has Shared My Personal Data, Can I Claim?
- Your Rights After A Lawyer Data Breach
- How To Report A Data Breach To The ICO
- Your Rights After A Child Protection Agency Data Breach
Thank you for reading our guide to claiming following a medical information data breach. Hopefully now you’ll know whether you could be eligible to claim medical data breach compensation. If you have further questions about a healthcare data breach, do not hesitate to get in touch.