Last updated 6th December 2024. If your medical information was shared unlawfully or accidentally, the organisation that shared it might have breached data protection. Medical institutions should protect health data under the Data Protection Act 2018 (DPA) and the UK General Data Protection Regulation (UK GDPR). In this guide, we investigate how medical data breaches could occur.
If a medical organisation breached your data and the breach led to harm, you might qualify to make a data breach compensation claim. Please call Legal Expert today. An advisor can assess your case, and if we see that you might be owed compensation, Legal Expert can appoint a data breach solicitor to manage your compensation claim.
To enquire about claiming compensation for a health and social care data breach, please contact us today:
- Call 0800 073 8804 to speak to a claims advisor
- Use our Web Chat service to ask us a question
- Or fill out the form to see if you can begin your claim online
Select A Section
- What Is A Medical Information Data Breach?
- When Can Medical Information Be Shared?
- Types Of Errors Which Could Leak Your Medical Information
- Examples Of Healthcare Data Breaches
- My Medical Information Was Shared; What Could I Claim?
- Can I Claim If My Medical Information Was Shared?
What Is A Medical Information Data Breach?
Personal data breaches are security incidents which can lead to the integrity, availability and confidentiality of your personal data being compromised. Indeed, data breaches can be data loss or data theft incidents. Or an incident where an organisation wrongfully discloses or shares personal data. Moreover, a data breach can happen if the organisation alters or destroys data accidentally or unlawfully.
Data breaches can breach your data protection rights. Under the UK General Data Protection Regulation (UK GDPR), organisations must protect the personal data they process. Therefore, medical institutions such as hospitals and GP surgeries may opt to:
- Firstly, have strong internal administrative processes to avoid data breaches.
- Secondly, medical institutions should train their staff to handle patient data securely.
- Moreover, the institution could have security measures in place to prevent unlawful
medical information sharing. - Additionally, an organisation should have adequate systems in place to prevent a cyber-security incident, such as hacking.
Organisations that are responsible for a data subject’s personal data have an obligation to ensure they take the correct steps in protecting this information. Failing to adhere to data protection laws can open up channels for data breaches to occur.
If a medical organisation misuses your medical records, you might have experienced stress due to a data breach or psychological injuries. So please contact Legal Expert; an advisor can help determine if you are eligible for compensation if your medical information was shared without a lawful basis.
When Can Medical Information Be Shared?
Medical information could be shared to provide treatment to patients, such as sharing between a GP and a consultant. In order for medical records concerning personal health data to be shared, there will need to be a lawful basis for doing this. Altogether there are 6 lawful bases, and one of them is consent. Each lawful basis is as important as the other; not one outranks another.
There are six lawful bases for processing personal data, and these include:
- Consent
- Contract
- Legal Obligation
- Legitimate interests
- Public task, and
- Vital interest.
Additionally, data protection legislation protects personal data and a category of personal data that is known as ‘special category’ due to its sensitive nature. Health data is categorised as sensitive and requires even added protection when it is being processed.
Free legal advice is available from our data breach team if your medical information was shared without a lawful basis.
Types Of Error Which Could Leak Your Medical Information.
Very often, human error is the cause of medical information being shared in a data breach. Here are some examples of the causes of a data breach:
- Hackers could target a clinic to gain illegal access to the clinic’s database due to lax cyber-security measures.
- A hospital worker could disclose health data without a lawful basis.
- A nursing home fails to redact information that identifies a patient from published marketing materials.
- Misdelivery of data incidents happen. For example, a hospital department could send medical test results to the wrong home or wrong email address.
- Documents containing patient personal information are lost or stolen.
- A healthcare organisation sends out a mass email. However, the organisation could fail to use the BCC field. Therefore the email addresses are shared amongst the mailing list. The blind carbon copy (BCC) field conceals email addresses from others on the mailing list.
Our data breach claims team can advise you on what steps you could take if you learn your medical information was shared accidentally or unlawfully.
Examples Of Healthcare Data Breaches
During the last three financial years, 5,632 healthcare sector data security incidents were reported to the Information Commissioner’s Office (ICO).
Wrightington, Wigan and Leigh NHS Foundation Trust were investigated by the ICO in 2019 after discovering that staff accessed patient data without a lawful basis to do so.
Another incident occurred when the 56 Dean Street clinic, which specialises in sexual health, failed to use the BCC when they sent out a mass email. Consequently, the clinic shared nearly 800 email addresses of those that had attended HIV clinics. The ICO fined the clinic £180,000.
Source URLs:
https://www.manchestereveningnews.co.uk/news/greater-manchester-news/nhs-investigation-after-personal-medical-16934646
https://www.bbc.co.uk/news/technology-36247186
My Medical Information Was Shared; What Could I Claim?
If your personal data breach claim for medical information being shared is successful, you could be eligible to receive compensation for two types of damage – material and non-material damage.
Non-material damage is the mental harm you have suffered because of a personal data breach. For example, if you have suffered anxiety, depression, Post-Traumatic-Disorder, or stress because your medical information was shared.
When calculating medical data breach compensation, legal professionals may refer to the Judicial College Guidelines (JCG). The JCG is a document that lists guideline compensation awards for different types of psychological harm.
Guideline Compensation Table
In the table below, we have taken some types of psychological harm and their accompanying guideline compensation figures from the JCG.
However, the top award figure is not from the JCG, and this table should only be used as a guide, since all personal data breach claims are unique.
| Harm Suffered | Severity | Guideline Compensation Award |
|---|---|---|
| Multiple serious types of psychological harm and financial losses. | Serious | Up to £250,000+ |
| Psychiatric Damage | Severe (a) | £66,920 to £141,240 |
| Moderately severe (b) | £23,270 to £66,920 | |
| Moderate (c) | £7,150 to £23,270 | |
| Less severe (d) | £1,880 to £7,150 | |
| PTSD | Severe (a) | £73,050 to £122,850 |
| Moderately severe (b) | £28,250 to £73,050 | |
| Moderate (c) | £9,980 to £28,250 | |
| Less severe (d) | £4,820 to £9,980 |
Material Damage
Material damage is any financial losses you have suffered due to a personal data breach, such as:
- Lost earnings if you have needed to take time off work due to your non-material damage.
- Therapy costs due to your non-material damage.
- Relocation costs if you have needed to move address due to fear of your safety.
Keeping evidence of your financial losses is essential. Such evidence includes invoices, receipts, bank statements, and payslips.
Please contact us to learn more about how medical data breach compensation is calculated.
Can I Claim If My Medical Information Was Shared?
Having your medical information shared does not mean a data breach has occurred. You may be eligible for compensation if you meet the following criteria.
- Firstly, an organisation breached data protection laws,
- Secondly, this led to your personal data being breached, and
- Thirdly, the data breach caused you emotional distress or psychological injuries. On the other hand, you may have lost money or assets.
Opting to work with a No Win No Fee solicitor, you will pay a success fee if the claim is won. Moreover, you will pay your success fee from the data breach compensation payment at a capped rate. If your claim does not succeed, you will not have to pay a success fee.
Please get in contact with us today to see if you are eligible to make a data breach claim if your medical information was shared without a lawful basis. If your claim seems eligible, we could forward you to our solicitors.
- Call 0800 073 8804 to consult an advisor
- Please type a question for us into our Live Support online widget
- Or request a call back about your claim online
Medical Information Data Breach Claims
We hope the guide has been helpful. Here are some other medical data breach guides you may find informative.
- Can I Get Compensation For Loss of Medical Records?
- Metro Bank Data Breach – Could I Claim?
- How To Report A Data Breach To The ICO
- Does an organisation need my consent? – a guide from the ICO
- What is special category data? – a guide from the ICO
- More information from the NHS about mental health conditions people can develop.
Thank you for reading our guide on what to do if your medical data is shared unlawfully.
