By Danielle Jordan. Last Updated 4th March 2024. A lot of sensitive and personal information is stored within our medical records. If these become lost or get into the wrong hand, it can understandably cause distress and worry. In this guide, we take a look at what you can do if you fall victim to a medical records data breach.
Below, we take a look at how such breaches of GDPR can happen, and what legal action you can take, such as making a No Win No Fee data breach claim.
If that’s an option you wish to pursue, then we can help. Our solicitors specialise in this field of law and can help you recover the compensation you deserve.
You can speak with us now about the data breach of your medical records for free by:
- Calling 0800 073 8804
- Writing to us about your claim online
- Or speak with us now via our live chat service
Select A Section
- What Is A Medical Records Data Breach?
- The GDPR And Access To Medical Records
- How Healthcare Providers Could Breach Your Medical Privacy
- Can I Claim Compensation For A Medical Records Data Breach?
- Examples Of Data Protection Breaches Of Medical Records
- How To Report Health And Social Care Services To The ICO
- Compensation Payouts For A Medical Records Data Breach
- How Much Could I Receive For A Data Breach Of My Medical Records?
- Can I Claim For A Data Breach Of Medical Records On A No Win No Fee Basis?
- Make A No Win No Fee Data Breach Claim
- Learn More About Medical Records Data Breach Claims
What Is A Medical Records Data Breach?
A medical records data breach may occur after some type of security event. Following the incident, personal information contained within medical records could be lost, disclosed, accessed, destroyed or changed without your consent. Breaches don’t need to be caused by illegal activity, though. You could seek compensation if you’ve suffered because of an accidental data breach too.
While we often read about data breaches that are caused by cyber attackers (involving phishing emails, hacking, viruses, ransomware and other similar methods), the GDPR also applies to physical documents if there are plans to store them in a filing system or add them to a computer system. Therefore, any old printed or hand-written medical records must also be protected too.
If a medical service provider is made aware of a breach involving your data, they need to let you know about it without undue delay. They should explain when the breach happened, the data that was exposed and how the incident occurred.
The GDPR And Access To Medical Records
The GDPR is a strict set of data safety rules that came into force in 2018. It covers any data that might be used to identify an individual. There is some information that could be used to identify you directly such as:
- Your name.
- NHS number.
- Telephone numbers.
- Email address.
- Home address.
In addition to this type of information, some information about your characteristics is covered as well. That is because it might lead indirectly to your identification. For example, details relating to your marital status, a disability, your ethnicity or your religious beliefs would be covered.
As a lot of this information will be found in medical records, they are covered by the GDPR and the DPA. The rules will therefore apply to who can access your data directly and who it can be shared with. Where illegal access to your information causes you to suffer mental or financial damage, you could be entitled to start a claim.
How Healthcare Providers Could Breach Your Medical Privacy
So, how could a healthcare provider breach the rules of the GDPR? Well, they could:
- Send an email, fax or letter containing personal data to the wrong recipient.
- Share information from your medical records without your consent.
- Open your medical records on a computer in a publicly accessible place meaning unauthorised parties could view your details.
- Be the victim of ransomware where hackers gain access to patient medical records to extort money.
- Dispose of paper-based records containing personal information in an insecure fashion.
- Lose a laptop that’s not been encrypted and that contains medical records.
Where these types of medical records data breaches occur, it could cause you to be worried about the implications of your data being exposed. You could be eligible to claim for that stress as part of a compensation claim.
Can I Claim Compensation For A Medical Records Data Breach?
If a data breach of your medical records occurred, you might be interested in the eligibility to claim. The right to data breach compensation is set by Article 82 of the UK GDPR.
To have valid grounds for a personal data breach compensation claim, you must be able to prove:
- Your personal data was involved in the breach.
- The breach was caused by the organisation’s failings.
- Due to your personal data being breached, you suffer psychological or financial harm.
Additionally, you must start the legal process within the relevant time limit if you are eligible to claim. This is typically six years. However, in claims against a public body, this is reduced to one year.
Please contact one of the advisors from our team to discuss what steps you could take following a medical records data breach. They could also assess the validity of your potential claim, and may connect you with one of our solicitors.
Examples Of Data Protection Breaches Of Medical Records
In this part of our guide, we’re going to look at a news report where a GP video appointment app was involved in a data breach.
The software in question is used to allow doctors to carry out consultations online rather than in person. In June 2020, the provider was contacted by one user who said they could access other patients’ video recordings. During an investigation, the company found that other users had gained access to similar recordings as well.
The user that reported the issues said that while checking his prescriptions online, he noticed around 50 consultation replays that did not involve him. The software provider, which has over 2.3 million UK users, said the problem had now been fixed.
They went onto confirm that, as well as the initial report, 2 other patients had been given access to the videos but did not view them. As per their GDPR obligations, the company reported the matter to the ICO. The user who initially reported the problem said that due to patient-doctor confidentiality concerns, he wouldn’t be using the app again.
Report: https://www.bbc.co.uk/news/technology-52986629
Another example of a breach in which medical records were exposed involved the pharmacy Doorstep Dispensaree. Following an investigation by the ICO in which they found thousands of records kept in unlocked storage containers, Doorstep Dispensaree was fined £275,000.
How To Report Health And Social Care Services To The ICO
You might think that the only way you’ll be able to claim for a medical records data breach is if the ICO investigates. However, that’s not always the case. If you receive a letter or an email from your healthcare provider letting you know that your data has been exposed, there may already be enough evidence to start your claim. We’d suggest that you check with your data breach lawyer before seeking an investigation.
If you do decide to contact the ICO, you must have complained to the healthcare provider first. Where you disagree with their response, you should follow any escalation paths available to you.
If it has been 3-months since any meaningful update has happened, and you’re still not happy with the response, you could contact the ICO and ask them to look at the matter. They say that you shouldn’t leave it too long after that or they could turn you away.
Again, following an investigation, the ICO could force changes upon the company if they’re found to have broken the rules. They could also fine them up to 4% of their annual turnover. However, the ICO cannot issue compensation to you no matter how badly you’ve been affected.
Therefore, you’ll need to take action yourself. Why not call us for free advice about claiming today?
Compensation Payouts For A Medical Records Data Breach
There are a lot of things to consider when making a medical records data breach claim. Ensuring your claim is compiled correctly is important because you can only claim once.
That means you need to think about how you might be affected in the future as well as claiming for any suffering that’s already happened. In this section, we’ll look at what you’ll need to think about.
Firstly, claims are usually split into two elements:
- Material damage – where you base your claim on how much money the data breach has cost you.
- Non-material damage – this part of the claim is about any psychological injuries you’ve sustained.
For material damages, you’ll begin by calculating any financial losses you’ve already incurred. This should be quite straightforward. Then you might need to think about future suffering too. As an example, if your credit file has been damaged by identity theft crimes against you, the cost of loans, credit cards or mortgages could be higher for you until the damage is rectified.
The first part of a non-material damages claim will look at injuries that have already been diagnosed. After that, it might be necessary to claim for any future suffering listed in your medical report. If it shows that you’re going to suffer from Post-Traumatic Stress Disorder (PTSD), for instance, then that should be factored into your claim.
Due to the complexity of these claims, we believe it’s best to have legal support. Working with a data breach lawyer could mean you’ll receive a higher compensation payment. That’s because they’ll use their experience to try and make sure all parts of your suffering are claimed for.
How Much Could I Receive For A Data Breach Of My Medical Records?
After making a successful data breach claim, you could receive compensation for the non-material damage you have suffered. This refers to the emotional harm caused by the breach. A medical records data breach can be an emotionally tolling experience, as the information involved can often be sensitive. The severity of the impact informs how much you could be owed in non-material damage.
In order to arrive at a suitable amount, solicitors can address certain resources. For instance, you may need to undergo a psychological evaluation to determine the extent of the impact on your mental health. As such, they can use the report to help them value the harm you sustained.
To assist them further, there is also a publication known as the Judicial College Guidelines (JCG). The JCG contains guideline figures that correspond to different types of mental harm.
We’ve included a table below with some excerpts from the latest edition of the JCG (2022). Get in touch if you’d like a bespoke valuation, as the amounts shown here will differ depending on your circumstances.
Claim | Severity | Compensation Range | Further Details |
---|---|---|---|
Psychiatric Damage | Severe | £54,830 to £115,730 | Coping with life and maintaining relationships will be significantly difficult. Furthermore, medical treatment is not likely to help meaning the victim will stay vulnerable. Therefore prognosis will be very poor. |
Psychiatric Damage | Moderately Severe | £19,070 to £54,830 | Symptoms will be significant and similar to those in the severe category. However, the victim will receive a more optimistic prognosis. |
Psychiatric Damage | Moderate | £5,860 to £19,070 | In this compensation range, the prognosis will be good. That will be due to a number of marked improvements that have already taken place. |
PTSD | Severe | £59,860 TO £100,670 | Symptoms like mood disorders, suicidal ideation, hyper-arousal and flashbacks will be permanent and affect all aspects of life. |
PTSD | Moderately Severe | £23,150 TO £59,860 | The victim will suffer significantly with similar symptoms to above. However, with professional help improvements could be made. |
There could be other consequences following a breach of your medical records. Personal data can include not only medical conditions, but also your bank details As such, you could experience material damage which relates to the financial losses you have incurred due to the data breach.
For example, if your bank details are affected in a breach, then it could mean that your account is charged for something without your authorisation. The amount you lose could be returned to you as part of your overall settlement. However, you would need evidence, such as your bank statement, to prove these losses.
Get in touch for more information on the compensation you could receive as part of your claim.
Can I Claim For A Data Breach Of Medical Records On A No Win No Fee Basis?
There is no doubt that data breach claims can be complex. They can be stressful too if you’re worried about covering the cost of a solicitor’s work. However, if you choose to work with us, you don’t need to worry about that too much. That’s because we provide a No Win No Fee service for any claim that is taken on. This means that you could get access to a specialist solicitor with reduced financial risks.
Before the claim can be taken on, the solicitor will have to review its merits. Should they agree to work on the case for you, they’ll give you a Conditional Fee Agreement (CFA) to review. The formal title of a No Win No Fee agreement, the CFA shows you what criteria need to be met before you have to pay any solicitor’s fees. Essentially, unless you are compensated, you don’t pay your solicitor at all.
Where a claim is won, a small success fee is charged. This is listed in the CFA as a fixed percentage of your compensation. Your solicitor will retain that percentage of your compensation in a successful claim. To try and prevent success fees from being too high, they are capped by law.
Want to know more about No Win No Fee claims? If so, please get in touch.
Make A No Win No Fee Data Breach Claim
We are here to help if you’ve decided to claim for a medical records data breach. You can get free legal advice by:
- Calling our claims line on 0800 073 8804 and speaking to a specialist.
- Asking an online advisor to explain your options.
- Sending an email about your case to info@legalexpert.co.uk.
- Completing our online claims form so that we can call you back.
As we know how busy life can be, our claims line is open 24-7 for your convenience.
Learn More About Medical Records Data Breach Claims
While we have provided all of the information we hope you’ll need to start a medical records data breach claim, we have added some further resources that might help you below. We’ve also shown some of the other types of data breaches we could help with.
- Access Your Medical Records – NHS information about how to obtain copies of your medical records and who else could view them.
- ICO Complaints – This page shows you how to complain to the ICO about different types of data privacy issues.
- Anxiety Support – A charity in the UK that provides anxiety support and therapy via chat or video call.
- It was reported in June that software provider Zellis had experienced a significant cyber attack in which the personal data of employees of Boots, DHL, the BBC and British Airways were all exposed. You can learn more about the Zellis data breach here.
- Data Breach Claims Against Comparison Sites – A guide about claiming if a comparison site data breach has led to you suffering.
- Housing Association Data Breaches – This article shows when data breaches caused by a housing association could result in compensation.
- Find examples of data breaches in schools and learn how to make a data breach claim with our guide.
- In terms of real-life examples, a significant breach occurred in March 2023 when Capita, which administers the pension funds for dozens of organisations, suffered a cyber attack, including some of the biggest funds in the country. For more advice on the Capita data breach and compensation claims, head here
- Nursery Data Breaches – This guide explains why you could claim for a nursery data breach.
For more advice and support on claiming compensation for a medical records data breach, please get in touch.