We've been featured in:

Our Research And Statistics On NHS Data Breach Compensation Claims

A lot of the enquiries we receive relate to medical data breaches, particularly within the NHS. These prompted our investigation into NHS data breach compensation claims.

Below, you can find out how much compensation has been paid out for data breaches by each NHS Trust, as well as the total number of claims made and compensation paid out.

We also uncovered the most prevalent types of data breaches within the UK health sector over the last three years.

How We Conducted Our Research

Legal Expert sent a Freedom of Information Request to NHS Resolution to find out the number of data breach claims lodged against each NHS Trust in the UK.

We also asked for the amount of damages paid out by each trust for such claims in the last three years, the results of which you can see below

Similarly, a request was sent to the Information Commissioner’s Office (ICO) to find out the number of data breach incidents reported to them by the healthcare sector as well as the types of data breaches that are most prevalent.

The Most Common Data Breach Types Within The UK Health Sector

The most common data breaches in the health sector in the last two years have been disclosed to Legal Expert by the Information Commissioner’s Office (ICO).

Between 2022/23, data breaches have skyrocketed by 21% in the UK health sector.

Data breaches reported to the ICO by businesses in the health sector includes; 

  • Advisory boards and panels
  • Ambulance service
  • Commissioning
  • Dentists
  • General practitioner
  • Health research
  • Healthcare and pharmaceuticals
  • Opticians
  • Pharmacist
  • Primary care
  • Private healthcare providers
  • Public health
  • Representative and arm’s length bodies
  • Secondary care

In 2022, a total of 1,607 data breaches were reported to ICO from the health sector, this soared to 1,949 incidents the following year. 

So far this year, between January 1 – March 20, 2024, a total of 505 data breaches have been reported by the health sector to ICO. That’s an average of 168 incidents a month. If the trajectory continues, figures could reach record highs this year of around 2,020.

Legal Expert has ranked the top 10 most common data breach incident types reported to the ICO from the Health Sector between 2022-24.

Top 10 most common Data Breach Incidents Health Sector

Top 10 most common Data Breach Incidents Health Sector

Definitions as provided by the ICO

Unauthorised access – an unauthorised individual has gained access to personal data. This can include unauthorised disclosures. This incident type is used both in instances where an individual has unlawfully accessed or disclosed information and where a third party has forcibly accessed a system.

Data emailed to incorrect recipient – where an email containing personal data is sent to the wrong email address. This could be data about one person or multiple individuals.

Data posted or faxed to incorrect recipient – where a fax or piece of post containing personal data is sent to the wrong fax number or postal address. This could be data about one person or multiple individuals.

Loss/theft of paperwork or data left in insecure location – papers containing personal data are not secured, for example locking the paperwork in a cabinet or similar; or papers are misplaced or stolen.

Verbal disclosure of personal data – when personal data is shared or disclosed verbally to an inappropriate party.

Ransomware – a type of malware that unlawfully encrypts a user’s files and demands a ransom to unencrypt files, usually in the form of cryptocurrency.

Failure to redact – when personal data was disclosed without the appropriate redaction, or if the redactions made were inadequate.

Phishing – an attempt to obtain information by posing as a trustworthy entity, deceiving recipients into sharing sensitive information (such as usernames, passwords, or credit card details) or by encouraging them to visit a fake website.

Hardware/software misconfiguration – any hardware or software misconfiguration leading to a disclosure of information. For example, permissions on a folder set incorrectly, or failing to use a robot.txt file.

Data of wrong data subject shown in client portal – where personal information about one or more individuals is shown within the Online service area belonging to another person.

The Results Of Our Research Into NHS Data Breach Claims

We send out Freedom of Information Request for every NHS Trust asking for the number of data breach claims and the amount of compensation paid in the last three years.

All NHS Trusts provided the requested information. A total of 897 Data Breach claims were lodged against NHS Trusts between the financial years 2020/21and 2022/23.

In this time period, 418 claims were closed with a compensation payment. The total amount of damages paid by the NHS for these claims was £1,537,295.

Some 212 data breach claims were closed during this period with NIL damages paid out.

Our investigation revealed a total of 20 NHS Trusts paid out thousands in data breach compensation claims in the last three years, find your local trust below.

Top 10 most common Data Breach Incidents Health Sector infographic

Top 10 most common Data Breach Incidents Health Sector

Wrightington, Wigan and Leigh NHS Foundation Trust

Wrightington, Wigan and Leigh NHS Trust came far and above any other in the UK, with a hefty compensation pay-out total.

Between the financial years, 2020/21 and 2022/23, the trust had 61 claims lodged against it. 

36 claims were made between 2020/21 as well as 19 more the following year. A further 6 data breach claims have been lodged against the trust this year so far (up to March 2024)/

In the last three years, WWL Trust settled 47 claims, paying out a total of £79, 650 – the highest amount of any NHS Trust.

Norfolk & Norwich University Hospitals NHS Foundation Trust

Norfolk and Norwich NHS Trust paid out the second highest compensation of all UK trusts.

Between the financial years, 2020/21 and 2022/23, seven data breach claims and incidents were reported to ICO regarding the trust. 

In the last three years, the trust settled 5 claims, paying out a total of £46,875.

Lancashire and South Cumbria NHS Foundation Trust

Lancashire and South Cumbria NHS Trust paid out the third highest compensation of all UK trusts.

Between the financial years, 2020/21 and 2022/23, the trust had 5 claims lodged against it, all of which were made between 2022/23.

In the last three years, the trust settled 5 claims, paying out a total of £37,038.

Greater Manchester Mental Health NHS Foundation Trust

Greater Manchester Mental Health NHS Trust paid out the fourth highest compensation of all UK trusts.

Between the financial years, 2020/21 and 2022/23, the trust had 5 claims lodged against it, all of which were made between 2022/23.

In the last three years, the trust settled all 5 claims, paying out a total of £30,500.

Shrewsbury and Telford Hospital NHS Trust

Shrewsbury and Telford Hospital NHS Trust paid out the fifth highest compensation of all UK Trusts. 

Between the financial years, 2020/21 and 2022/23, the trust had 16 claims lodged against it, all of which were made between 2020/21.

In the last three years, the trust has settled 9 claims, paying out a total of £29,750.

Tavistock and Portman NHS Foundation Trust

Tavistock and Portman NHS Foundation Trust paid out the sixth highest compensation of all UK Trusts. 

Between the financial years, 2020/21 and 2022/23, the trust had 6 claims lodged against it, all of which were made between 2020/21.

In the last three years, the trust has settled 7 claims, paying out a total of £28,500.

Manchester University NHS Foundation Trust

Manchester University NHS Foundation Trust was also high on the list, paying the seventh highest amount out of all UK trusts.

The trust settled 8 data breach claims in the last three years with a sum of £23,590. 

South West Yorkshire Partnership NHS Foundation Trust

South West Yorkshire Partnership Trust paid out some of the highest compensation amounts of all UK Trusts. 

Between the financial years, 2020/21 and 2022/23, the trust did not have any new claims lodged against it, according to NHS Resolution. 

But, in the last three years, it has settled 5 claims, paying out a total of £22,400.

West London NHS Trust

West London NHS Trust paid out some of the highest compensation amounts of all UK Trusts. 

Between the financial years, 2020/21 and 2022/23, nine data breach claims and incidents were reported to ICO regarding the trust. 

In the last three years, it has settled 5 claims, paying out a total of £22,350.

Mersey Care NHS Trust

Mersey Care NHS Trust paid out some of the highest compensation amounts of all UK Trusts. 

Between the financial years, 2020/21 and 2022/23, nine data breach claims and incidents were reported to ICO regarding the trust. 

In the last three years, it has settled 7 claims, paying out a total of £21,950.

What’s more Liverpool University Hospitals NHS Foundation Trust had the second highest number of data breach claims lodged against it during this time. 

40 claims were brought against the trust, all of which were between 2022/23.

Learn More About Making A Medical Data Breach Compensation Claim

If you’ve been impacted by a medical data breach by the NHS, you could be entitled to compensation. You can head here to learn about the eligibility criteria for claiming medical data breach compensation, or you can get in touch with us for free via our live chat or 24-hour helpline.

Here at Legal Expert, we have a team of specialist data breach solicitors who are well-versed in medical and NHS data breaches. They can help you today too.