I Suffered A Psychological Injury After A Medical Data Breach, What Are My Rights?
If a medical data breach happens, it could affect you in a number of different ways. Depending on the data involved in the breach, you could experience reputational damage, loss of privacy and even psychological injuries. If you have suffered financially or emotionally because of a data breach in the UK, you may be wondering if there’s anything you could do about it.
This guide explains what could cause a healthcare data breach, and whether you could be eligible for compensation. We also show you how you could find a data breach lawyer to help you under No Win No Fee terms.
A data breach could happen as the result of human error, mismanagement of your data, or it could be the result of a malicious cyberattack, such as a hack. We discuss these incidents in more detail in the below sections of this guide. In addition to this, we offer some insight into how much compensation a data breach claim could bring, and what you’d need to begin a claim.
If we can be of any assistance to you, whether by assessing your eligibility to claim, answering your questions or providing you with a data breach solicitor for your claim, you can reach us on 0800 073 8801. We’d be glad to assist.
Select A Section
- A Guide To Medical Data Breach Claims
- What Medical Data About Me Could Be Held?
- What Is A Medical Data Breach Claim Against A Healthcare Provider?
- Action A Healthcare Provider Should Take If They Have Had A Data Breach
- Examples Of Action Taken By The ICO Against Medical Service Providers
- When Could You Claim For A GDPR Medical Data Breach?
- What Evidence Do I Need To Make A Medical Data Breach Claim?
- Medical Data Breach And GDPR Breach Compensation Calculator
- Types Of Material And Non-Material Damages That Could Be Awarded
- No Win No Fee Medical Data Breach And GDPR Breach Claims
- Contact An Advisor
- Medical Data Breach Claim FAQs
- Related Guides
Whether a data breach occurs at your GP surgery, at a local hospital or in another healthcare setting, it can have a number of unwanted consequences. If you’ve fallen victim to a medical data breach and suffered material or non-material damages (including distress) as a result, you could make a medical data breach claim against the organisation that caused the data breach.
It does not matter whether a staff member accidentally sent your health data to an unauthorised recipient or your surgery was subjected to a hack or cyber attack. Both of these incidents, as well as negligence could cause your medical data to be breached and if it has harmed you, you could claim.
This guide explores in detail the laws that are in place to protect sensitive personal information, including sensitive medical information. We describe how data breaches have happened in the past, and what action you could take if you’ve been affected by a breach.
We also discuss the reason claimants could claim for psychiatric and psychological harm, if they suffer such injuries due to a breach of their data protection.
At the end of this guide, we answer some frequently asked questions about making claims for GDPR breaches and provide you with some further resources, as well as explaining how we could help you begin your claim.
Patient records could contain lots of very sensitive information that you would expect a healthcare provider to protect. In fact, they have a legal duty to do so under GDPR and the Data Protection Act 2018. Personal data, as defined by the ICO, is information that could identify a person, either when used alone or combined with other information. It could include:
- Personal information such as your name, contact information, address, email address or location details
- Financial information such as your health insurance details or, if you pay for treatment, your credit card or bank details
- Special category data such as racial or ethnic origin, religion, genetic data, medical information, sexual orientation and biometric data, for example
No matter what type of data is breached, if your health care provider breaches your personal data, causing your financial or emotional harm, you could be eligible for compensation.
When a healthcare provider collects, stores and processes your personal data, they could be considered a data controller. As such, there are specific laws they must abide by such as the Data Protection Act 2018, which enshrines in law the UK GDPR. Under the UK GDPR, organisations, including healthcare providers must abide by certain principles when processing, storing or collecting data. These include:
- Transparency, fairness and lawfulness: Any processing, storage and collection of data must be done in accordance with the law. Organisations must process data fairly and must be transparent with data subjects.
- Purpose limitation: Organisations must identify the purpose for processing data and must limit their processing to the identified purpose.
- Data minimisation: Organisations must only use the minimum amount of data required for processing.
- Accuracy: Data controllers must ensure that personal information is up to date and accurate.
- Storage limitation: They must only store data for as long as it is needed.
- Integrity and confidentiality: Organisations must have appropriate data security measures in place to protect personal information.
- Accountability: Data controllers must demonstrate compliance.
Organisations that breach data could end up on the ICO breach register, and they could even receive ICO fines for infringements of GDPR. Victims of data breaches also have rights under the GDPR. Section 168 of the Data Protection Act 2018 allows the victim of a data breach to claim healthcare data breach compensation for non-material and material damages caused by a breach.
How Could A Data Protection Breach Of My Medical Records Happen?
A data protection breach of medical records could happen in a variety of circumstances. Examples could include:
- Malicious Acts: A healthcare provider could fall victim to a hacking. A cyber criminal could attack systems by identifying cyber security vulnerabilities. They could then launch an attack through cloud services, or through a VPN (Virtual Private Network). Once they gain access, they could use a virus, ransomware, malware or spyware to breach your personal data.
- Staff errors: Sometimes, a staff error could cause a data breach. For example, they might send sensitive information to the wrong recipient. This could also represent a medical records breach. A breach could even happen if files are misplaced, or if a failure to lock a filing cabinet containing data leads to unauthorised access.
- Negligence: If a healthcare provider hasn’t adequately protected their systems, which could involve installing appropriate cyber security software, such as a firewall for example, this could be considered a breach.
Whether your data breach involved a hacking, DDoS attack, phishing, human error or theft of computer equipment, if you suffer harm from it, you could be eligible for compensation.
There are several things an organisation could do if they have a medical records data breach. They should identify what risks a medical data breach could have towards individuals. Once they have done so, they should report a breach to the ICO within 72 hours of the breach if it risks the rights and freedoms of data subjects. They should also inform the data subjects.
The information a healthcare provider should put in a data breach report to the ICO includes:
- The nature of the breach
- Number of individuals concerned
- How many records were concerned
- The details of the data protection officer or another contact point
- Descriptions of what consequences could arise
- Explanation of measures taken or to be taken to rectify the breach
If a medical data breach doesn’t risk the rights of freedoms of data subjects, the organisation doesn’t have to report the breach to the ICO. However, it must keep its own records of the breach.
The Information Commissioner’s Office (ICO) upholds the data rights of individuals. It could investigate incidents pertaining to data protection infringements and could issue enforcement actions against those who breach data protection law.
Does The ICO Enforce GDPR?
The ICO does enforce GDPR. It could issue fines of up to 4% of an organisation’s global annual turnover, or £17.5m.
What Action Has The ICO Taken Against A Medical Service Provider?
One example of action the ICO took against a medical services provider happened in 2019. The ICO issued a fine of £275,000 against Doorstep Dispensaree when they failed to protect special category data. The incident related to the failure to secure around 500,000 documents containing personal data, which were left in unlocked containers on the organisation’s premises. The data included medical information, NHS numbers, names and addresses.
To make a claim for a data breach you’d need to demonstrate that:
- A medical provider breached your data.
- You encountered financial or emotional harm because of the breach.
It may not be necessary to take your data breach claim to court to get the compensation you deserve. If you make a complaint about a breach directly to an organisation, you could use a data breach solicitor to help you take your claim further.
If you’re looking to make a medical data breach claim, you might want to know what evidence you’d need. In general terms, you’d need to evidence the breach itself, as well as the impact it had on you. Evidence that could help to do this could include:
- A copy of a letter or email from the organisation confirming you’ve been a victim of the data breach
- Any response to your complaint
- Documents evidencing the financial impact of the breach, such as credit card bills or bank statements
- Medical evidence if you’ve sustained psychological injuries
Data breach lawyers would be able to tell you what evidence they’d need to submit as part of your claim. If you’d like us to refer you to a data breach lawyer, we’d be happy to help.
When making a valid data breach claim, not only could you be eligible for compensation for any financial loss you experience, but you could also claim for psychiatric/psychological injuries. This is because of a legal precedent which was set in Vidal-Hall and others v Google Inc  – Court of Appeal. During the case, the judge said that compensation awards similar to those seen in personal injury cases for psychiatric or psychological injuries should be considered.
Evidencing Psychological Injury
To evidence such injuries, you would need to have an independent medical assessment. An independent medic would examine them and write a report which would include details of their injuries and prognosis. Data breach solicitors and courts could use this report alongside the Judicial College Guidelines (an annually updated legal publication) to come to an appropriate value for psychological suffering.
We have used some figures from this publication in the table below. This could roughly illustrate the payout guidelines for such injuries.
|Psychological/Psychiatric Injury||Compensation Bracket||Level of Severity|
|Cases involving post-traumatic stress injuries/PTSD||£56,180 to £94,470||Severe|
|Cases involving post-traumatic stress injuries/PTSD||£21,730 to £56,180||Moderately severe|
|Cases involving post-traumatic stress injuries/PTSD||£7,680 to £21,730||Moderate|
|Cases involving post-traumatic stress injuries/PTSD||£3,710 to £7,680||Less severe|
|Psychological (General) Injuries||£51,460 to £108,620||Severe|
|Psychological (General) Injuries||£17,900 to £51,460||Moderately severe|
|Psychological (General) Injuries||£5,500 to £17,900||Moderate|
|Psychological (General) Injuries||£1,440 to £5,500||Less severe|
We mentioned earlier in this guide that a medical data breach claim could include non-material and material damages. But what could this involve?
- Non-Material Damages: These are the damages that compensate claimants for psychological injuries.
- Material Damages: These are the actual and projected financial losses a breach causes. They could relate to fraud, identity theft or monies stolen from bank accounts, for example.
If you are unsure as to what damages you could claim, we could help. We’d be happy to offer you a free eligibility assessment, and could provide you with a No Win No Fee lawyer to help you with your case.
Do you want to use the services of a data breach lawyer to make your claim? If so, you might be pleased to learn that with No Win No Fee claims, you wouldn’t need to pay such a lawyer their fee upfront. Instead, you would pay them a small percentage of your total payout at the end of your claim as a success fee.
How Could A No Win No Fee Medical Data Breach Claim Work?
- At the start of your claim, your lawyer would send you a No Win No Fee Agreement. You’d need to sign it and return it to them. The document specifies the success fee you’d pay from your compensation if your case is successful.
- When you sign and return your agreement, the data breach solicitor would be able to work on your claim. They could build a body of evidence and submit it on your behalf.
- The solicitor would negotiate a compensation settlement for you. If your case needed to go to court, they’d support you through this process.
- When your compensation settlement comes through, the solicitor deducts their success fee, with the rest being left for your benefit.
- If your case doesn’t win, you don’t need to pay the solicitor’s fee.
If you want to look in more detail about what No Win No Fee claims involve, why not read our guide? Or, you could chat with our team and have your questions answered over the phone.
We recognise that you may have further questions about making a claim for a breach of your data privacy. We’d be glad to answer those questions, and we could also assess your eligibility for free. In addition to this, we could refer you to a data breach lawyer to begin your compensation claim. To reach our expert advisors, all you need to do is:
What Is A GDPR Breach Claim?
A GDPR breach claim is a compensation claim made by a victim of a data breach, or their representative. A GDPR data breach claim could include compensation for the psychological effects of a breach. It could also involve compensation for financial loss.
Our team would be happy to help you get started with a data breach claim. While you do not legally need a solicitor to claim compensation, many claimants prefer to have one. Benefits could include having the legal legwork taken care of, ensuring you claim everything you’re eligible for and getting support if your case goes to court.
Am I Eligible To Sue For A Breach Of My Data Privacy?
To be eligible to sue for a breach of your data privacy, you would need to demonstrate that such a breach took place. You would also need to evidence that you suffered some kind of harm because of the breach. This could include financial or emotional harm. If you would like us to provide you with a free-of-charge eligibility assessment of your case, we’d be delighted to help you.
How Much Time Do I Have To Claim For A Data Breach?
There are time limits in place for many different types of compensation claims. With data breaches, you’d have 6 years in which to make your claim. However, if there has been a breach of human rights, you would only have one year. If you’d like us to help you start your claim quickly, we’d be glad to help you. All you need to do is get in contact with our team.
NSCS Guide To Data Breaches: The NSCS provides guidance to individuals and families in regards to data breaches. It shows people what action they could take if they believe they may have been affected by such a breach.
Cyber Security Survey: The government’s Cyber Security Breaches Survey for 2020 can be found here. It might make interesting reading for you as it explains how common data security breaches are amongst organisations.
Data Protection Explained: The government has created a guide to data protection, which you can access here.
Claims For Stress-Related Incidents: One of the consequences of a data breach could be stress, and the data breach could’ve been caused by your employer. This guide explains stress in more detail and gives some insight into claiming compensation for personal injuries.
Have You Suffered Data Breach Anxiety?: Anxiety could be something you suffer as a result of a data breach. We have created a handy guide that explores claiming for anxiety in more detail. The example included is anxiety following a car accident.
Will Suing Your Employer Cause You Problems?: If your employer has breached your data, you may worry about making a claim for compensation. This guide explores such worries and explains the reasons an employee need not fear taking action against an employer.
Thank you for reading our guide to claiming following a medical data breach.
Guide by JJ
Edited by RV