I Suffered A Psychological Injury After My Pharmacy Had A Data Breach, What Are My Rights?
You may have been aware of the General Data Protection Regulation (GDPR) since it launched in 2018. Many people often dismiss pop-up boxes and tick boxes that require our attention when signing up for services or when visiting websites. However, these boxes can give you some control over the use of your personal data.
The GDPR has been introduced to try and reduce the amount of personal data breaches and give you more control over how your data is used. If a data breach does happen, you could seek compensation if it causes you to suffer mental harm or financial loss.
In this article, we explain the justifications and evidence you might need to claim after a Well Pharmacy data breach. We explore how a data breach could result in compensation and how much might be paid. Later on, we’ll show you how one pharmacy received a £275,000 fine because of a data breach.
If you can prove you have a valid claim, we are here to help. If you call our advisors, a specialist will go through your case with you. As well as answering any questions you raise, they’ll provide advice on your options. You are not obliged to claim with us but, if your case is favourable, we could connect you with one of our data breach lawyers. If they decide to take your case on, they’ll work for you on a No Win No Fee basis.
Our advisors can be reached on 0800 073 8801 today. When you get in touch, a member of our team will explain the claims process to you. If you would rather learn about the impact of pharmacy data breaches before you call, please read the rest of this guide.
Select A Section
- A Guide On Your Rights After A Well Pharmacy Data Breach
- What Medical Data Could A Pharmacy Hold?
- What Is A Personal Data Breach Claim Against Well Pharmacy?
- How Should A Data Controller Deal With A Data Breach?
- Enforcement Action Taken By The ICO Against Pharmacies
- When Could You Claim For A Breach Of Your Data Privacy?
- Evidence To Support Your Case
- Calculate Compensation Claims Against Well Pharmacy Data Breaches
- Non-Material Damages That Could Be Awarded For Data Breaches
- Could I Claim Through A No Win No Fee Agreement?
- Speak To Us About Your Case
- FAQs On The GDPR And Data Breach Claims
- Guides Related To This Article
A Guide On Your Rights After A Well Pharmacy Data Breach
We use personal data in different ways nowadays because of advanced technology and the internet. Personal information, such as bank account details, can be quite valuable to criminals. However, not all data breaches relate to deliberate criminal activity. Problems could be caused if personal information is leaked because of an accidentally dropped memory stick that an unauthorised person accesses, for example.
Fortunately, the Data Protection Act 2018, which enacted the GDPR into UK law, is there to protect you. Organisations that decide how and why they’ll use your data (data controllers) need to keep it secure and require a lawful reason to process it.
In the UK, the GDPR watchdog is the Information Commissioner’s Office (ICO). Within their remit, they are able to investigate data protection breaches and they are able to issue large financial penalties. Additionally, they are able to tell a company that it must change the way in which it processes personal information.
That said, they are not able to award compensation to you if you have suffered mentally or financially as a result of the breach. Therefore, we have provided this guide to explain how to make a compensation claim yourself.
You have to claim within the agreed time limits. In most cases, you will get 6 years to file your claim from the date you obtained knowledge of the breach. However, we’d advise checking this as cases that are based on human rights breaches have only 1 year.
What Medical Data Could A Pharmacy Hold?
As with other organisations, pharmacies need to process and store some information about their customers. Without it, collecting your prescription could be a long-winded process and mistakes may be more likely. In this section, we are going to look at what information a pharmacy could potentially hold about you. For example, they might retain:
- Your name, NHS number, mobile number, home address and email address.
- Your date of birth.
- Information that’s contained within your medical records.
- Details of your current and previous prescriptions.
- Payment details if you’ve ordered online with them.
Because this data could help to identify you, it is covered by the GDPR. Also, this is just a sample of what might be known about you. More information might be recorded in some instances.
As well as implementing measures to try and keep this type of data safe, in many instances the pharmacy is not authorised to sell or share it with others. (They don’t always need your consent to share your data, however.) Even in cases that might seem safe, like sharing data with a research project, they may need to seek your permission first.
What Is A Personal Data Breach Claim Against Well Pharmacy?
Pharmacy data breaches happen following a security problem, which can be accidental or deliberate. During the incident, personally identifiable data would be exposed, lost, destroyed, changed or accessed in a way that has not been authorised or is unlawful.
Common data breaches you may hear about are related to cybersecurity. They can include data loss caused by phishing emails, denial of service attacks, key loggers and ransomware. However, it is worth noting that breaches can also involve physical documentation such as printed or hand-written records. For example, a patient may be given your prescription by accident and they may look at your personal details on it.
The following list demonstrates some of the ways in which a pharmacy could be involved in a GDPR breach:
- Where a customer’s details are stolen after the company’s IT infrastructure is exploited.
- When a letter or email containing personal information is intended for one patient but is sent to another.
- Where staff discuss an identifiable patient’s medical problems in earshot of other customers.
- If staff look up details of friends, relatives or customers without a lawful reason to do so.
These scenarios could cause the affected data subjects to suffer emotional distress. Additionally, if the bank details of a patient are accessed, they may become a victim of theft.
How Should A Data Controller Deal With A Data Breach?
Since the introduction of the GDPR, companies have put plans in place so that they are prepared to act if a data protection breach occurs. As part of their obligations under the law, companies should:
- Instigate an investigation to learn what has happened. This should help to identify what data was exposed, when the breach took place and how it happened.
- Let the ICO know of the breach (if it’s notifiable) within 72 hours and keep them updated.
- Inform data subjects about the breach without undue delay if there is a risk to their rights and freedoms.
We will look at evidence that you could provide to support your case later on. However, if you are notified about a breach, you should retain a copy of the letter or email. Remember, though, you can’t claim just because a data breach has occurred; you will also need to show that it caused you to suffer psychologically or financially.
Enforcement Action Taken By The ICO Against Pharmacies
While there have been reports of a Well Pharmacy data breach involving staff data, there is currently no publicly available record of any enforcement action by the ICO. Therefore, in this section, we’ll look at ICO action that resulted in another pharmacy (Doorstep Dispensaree) receiving a £275,000 fine.
The fine was issued because around 500,000 records relating to patients were stored at the back of their premises in unsecured containers. The breaches of the GDPR that led to the fine were:
- The personal data relating to patients was not secured. This relates to the fact that the containers were unlocked and potentially accessible to unauthorised persons.
- The documents were not protected from damage. This relates to the fact that some documents had been water damaged because of inadequate storage.
When Could You Claim For A Breach Of Your Data Privacy?
We have shown already that claimants need to provide evidence that a data protection breach has happened and that it caused them to suffer mentally or financially. As well as a right to seek compensation, you have other rights relating to data processing since the GDPR was introduced. They include the right to:
- Be informed about the reasons your data is needed and how it’ll be used.
- Request access to your personal data held by an organisation.
- Object to the use of personal information.
- Limit the ways in which your data is used.
- Request the amendment of inaccurate data.
- Request the deletion of data.
- Receive your data in a portable format that is easy to use.
You also have individual data rights relating to how your information is used in automated decision making and profiling.
Evidence To Support Your Case
It is imperative, when seeking compensation, that you can provide evidence that shows:
- A breach happened and you were the victim;
- It caused you to suffer mentally or financially (or both); and
- Someone else was liable.
To make a pharmacy data breach claim, the following evidence could help you:
- An email or letter from the pharmacy notifying you that the data breach took place and you have been affected.
- Medical notes from your GP to show how you have suffered because of the breach.
- Bank statements or other financial documentation to demonstrate any monetary losses.
- A report following an ICO investigation into the data breach.
To have an expert review your evidence for free, please get in touch today. We could partner you with one of our data breach lawyers. If not, our team could provide advice on what else you need before claiming.
Calculate Compensation Claims Against Well Pharmacy Data Breaches
In this section, we will look at potential compensation amounts that could be awarded for psychological injury sustained during a personal data breach. Our compensation table, below, includes some examples but you’ll get a more personalised compensation figure if you let our team review your case for you.
When considering claims, it is important to refer to a case at the Court of Appeal: Vidal-Hall and others v Google Inc . The court heard that:
- Compensation should be considered for any psychiatric injuries sustained following a data breach. This is irrespective of whether there has been any financial suffering. Before this case, you could only claim for mental suffering if you’d also suffered financially.
- When awards are being valued, compensation amounts used in personal injury claims should be adopted.
For that reason, we have added figures from the Judicial College Guidelines (JCG) to our compensation table. The JCG is used to help determine settlement amounts for injuries in personal injury claims.
|Psychiatric damage (Severe)||£51,460 to £108,620|
|Post-Traumatic Stress Disorder (Severe)||£56,180 to £94,470|
|Psychiatric damage (Moderately Severe)||£17,900 to £51,460|
|Post-Traumatic Stress Disorder ( Moderately Severe)||£21,730 to £56,180|
|Psychiatric damage (Moderate)||£5,500 to £17,900|
|Post-Traumatic Stress Disorder (Moderate)||£7,680 to £21,730|
|Psychiatric damage (Less severe)||Up to £5,500|
|Post-Traumatic Stress Disorder (Less severe)||Up to £7,680|
Medical Evidence In Personal Data Breach Claims
To be compensated correctly, you need to provide evidence that shows the extent of your suffering. You’ll also need to prove that the data breach caused or worsened your condition. Therefore, you will need to participate in a medical assessment during your claim. This will be conducted by an independent medical specialist.
During your appointment, they will assess your condition and offer a prognosis for future suffering too. This can be established by questioning you and reviewing any medical records available too.
Once the appointment has ended, the specialist will send their report to your solicitor. If you work with us, your solicitor should be able to limit your travelling time by arranging a local medical assessment.
If you can prove you’ve been the victim of a Well Pharmacy data breach, and you’re unsure about what your condition could be valued at, get in touch today. Our advisors can offer you a free, accurate estimation.
Non-Material Damages That Could Be Awarded For Data Breaches
All compensation claims should be fully justified and backed with substantiating evidence. What’s more, you may need to take into account suffering that continues into the future as part of your claim. That’s because you can only claim for the same incident once.
Compensation for data breach claims is generally split into two categories: material and non-material damages.
Material damages compensate you for the financial impact of the data breach. Therefore, you’ll start by working out how much the breach has caused you to lose monetarily so far. Then you might need to look at any additional suffering too. For example, if your credit record has been damaged by criminals using your personal details, you could pay more for products like mortgages or loans until the damage is rectified.
Non-material damages compensate you for psychological suffering. This can include conditions like distress and anxiety. Initially, you can look at any medical conditions that have been diagnosed previously and were caused or worsened by the breach. You may also have to factor in any future suffering detailed in your medical assessment report. This could include prospective weeks, months or years of suffering caused by anxiety.
As you can see, there is a lot to think about when claiming after a personal data breach. We advise that, to help you get the claim right, you take on legal support. By doing so, we believe that you have a better chance of being compensated properly for your suffering.
Could I Claim Through A No Win No Fee Agreement?
Claimants may delay seeking compensation because they’re worried about being out-of-pocket if the case loses and they still have to pay their solicitor’s fee. Accident Claims UK can help to reduce that worry. That’s because our data breach solicitors work on a No Win No Fee basis. That means that if your claim is taken on, you’ll receive expert legal representation and won’t have to pay your solicitor’s fees if the case loses.
Before your case is accepted, it will need to be reviewed. If the solicitor agrees to work for you, they will supply a Conditional Fee Agreement (the formal term for ‘No Win No Fee agreement’). This agreement tells you the criteria that your solicitor must meet before they’re paid. Additionally, it demonstrates that:
- Advance payment for your solicitor’s work is not needed.
- Your solicitor won’t bill you for their time while working on your case.
- If the claim does not succeed, you won’t need to pay your solicitor’s fee.
The only scenario where you would pay your solicitor is when compensation is received from the defendant. When that happens, your solicitor will deduct a pre-agreed small percentage to cover the cost of their work. This is called a success fee. So that you know what percentage you’ll pay, the success fee, which is legally capped, is listed in your Conditional Fee Agreement.
Speak To Us About Your Case
We hope that the information we’ve supplied has helped you today. If you are now considering claiming, you can contact us by:
- Calling our advisors on 0800 073 8801.
- Emailing us with the details of your case to email@example.com.
- Asking an online advisor about your options.
- Requesting a call from a specialist by completing our enquiry form.
FAQs On The GDPR And Data Breach Claims
We have almost completed this guide about what could happen after a Well Pharmacy data breach. Therefore, we’ll use this section to answer some common GDPR-related questions.
Examples of information protected by the GDPR
The GDPR protects data that could be used to identify an individual (the data subject). This includes names, addresses, email addresses, mobile or telephone numbers, banking information and identification numbers. Additionally, data that could identify you if used alongside other information is also protected. This might include details of disabilities, ethnicity, age, marital status or sexual orientation.
What data protection rules should a pharmacist follow?
Pharmacists, like other data controllers, should implement security processes to try and keep personal data safe. Furthermore, before processing any personal information, they must ensure there is a lawful basis for doing so.
What fines could the ICO issue?
Guides Related To This Article
Thanks for reading about what could constitute a valid and justifiable Well Pharmacy data breach claim. In our final section, we have included some additional links that you might find helpful.
72 Hours To Respond: Guidance on how data controllers should respond to data breaches.
ICO Action: Take a look at this page to view the latest enforcement orders and fines issued by the Information Commissioner’s Office.
Symptoms Of PTSD: This article lists some of the symptoms of Post-Traumatic Stress Disorder.
Psychological Injuries: A guide that shows some of the psychological damage that could be endured following a personal data breach.
GP Data Breaches: This article explains your rights relating to data breaches by your doctor.
Credit Card Breaches: Information on how a credit card provider might breach data protection rules and why you might be entitled to claim.
Employer Data Breaches: Our guide explores what you can do following an employer data breach.
University Data Breaches: You may have been the victim of a data breach at a university as an employee or a student. Read our guide to see what you could do next.
Hotel Data Breaches: Hotels hold the personal information of employees and guests. We provide more information in this article.
Thank you for reading our guide about steps you could take if you can prove you’ve suffered psychologically or financially because of a Well Pharmacy data breach.
Guide by BH
Edited by RV