Medical Data Breaches

There is nothing more personal than medical data.  The right to confidentiality is enshrined in UK law regardless of the GDPR, but at the same time medical data may be routinely shared, with consent, and through communication channels from a health provider to a patient. For example, your doctor might refer you to another doctor specialising in a particular area of medicine. Or, a hospital where you have received treatment may send details of that treatment to your GP. There are many other situations where your personal medical data is shared legitimately and with your consent but in our experience, these exchanges give rise to data breaches on an all too frequent basis – often not because of theft or computer security failures but carelessness.

DRM Legal specialises in data breach claims with a particular aim towards protecting individuals who have been affected by a data breach. We understand just how personal medical data can be and we are here to help our clients to claim compensation for distress and embarrassment caused by a medical data breach.

Like many other areas of industry, healthcare has adopted digital systems and processes in order to manage patients and, importantly, their medical records. It is extremely important that the organisations who are storing such personal data ensure it is protected; but sometimes, (more often than you would like to think) data is hacked or compromised which results in medical data being lost or accessed by unauthorised parties. The staff entrusted to handle your personal medical data must also be trained on data protection and handling procedures. Too often, the staff employed within the healthcare sector do not take their responsibilities seriously, accessing or using individuals’ personal data for unauthorised purposes.

Who is to blame?

A healthcare provider is liable for the failure to protect your data if they did not follow their own internal procedures. This could be by not following their own data destruction policies or if their security process is not good enough. Medical data breaches frequently occur because of human error, however the organisation will still be liable for the breach.

If you believe that you are a victim of a medical data breach, you should contact our team to help you to claim the compensation that you deserve. We give our clients our undivided attention when making a claim for data protection breaches so we will not ask you to join a group action with hundreds of other people claiming for the same breach. Everybody is different and everybody’s medical records will be different so we will always focus on how the data breach has affected you, and only you.


Examples of data breaches which have been sanctioned by the ICO or are under investigation

In 2015 an NHS sexual health clinic, which included routine HIV testing, inadvertently posted the names and email addresses of 781 patients in an email.

The clinic in Dean Street, Soho sent a newsletter out to patients on their list at the clinic by email. Inadvertently it included all the names and email addresses of all those on the mailing list. So, anyone receiving the email could see the email addresses of other patients, knowing that their own details would be known to many others.

The matter was reported to the ICO under the Data Protection Act 1998 with the NHS fined £180,000 for a serious data protection breach.  Even though there was no direct financial loss by patients the data breach could be seen to cause significant distress to those affected.

Recently, a similar incident happened concerning a Gender Identity Clinic which falls under the new laws. That incident is under investigation by the ICO with the prospect of a significant fine and compensation settlements to the individuals affected.

A more recent example is the case of Hammersmith Medicines Research, a company researching drugs and vaccinations. HMR has recently breached the data of thousands of its volunteer patients. This happened when a ransomware group called Maze attacked the computer system, threatening to publish the details of 2,300 volunteers online.

The director of Hammersmith Medicines Research had refused to pay the group the ransom which they had demanded and so the volunteers’ details were posted online.

The personal data included sensitive data included within medical questionnaires and forms of personal identification. The data which has been breached is said to affect individuals with surnames starting with D, G, I or J but the company admit that the personal data of anyone within their system may have been stolen by the cybercriminals. The ICO and police are currently investigating this data breach.

Compensation for distress

Unlike other data breaches involving, for example, financial information, medical data breaches are usually based solely on the distress you have suffered, rather than/in addition to financial loss. However this is not always the case as the loss of medical records may lead to fraud as cybercriminals are becoming more inventive in the way they monetise stolen personal data.

If you have suffered a data breach, you will know how far-reaching its affects can be. The data breach may impact your relationships, job opportunities or progression or it may cause significant distress and loss of confidence. The initial stress you suffer when you become aware of the breach may result in a diagnosis of conditions like anxiety or depression or it may exacerbate a condition which you already have. Many of our clients experience stress, lack of sleep, anxiety and confidence issues following a data breach. At DRM Legal, we think these consequences are just as important as any financial loss.

We understand that distress affects everybody differently and we are here to help you through this. If you have suffered a medical data breach or if your personal data has been lost, you have the right to claim compensation

You can make a claim for compensation against:
  • General Practitioners
  • Dentists
  • Opticians
  • Private Practitioners
  • Psychiatrists
  • Hospitals
  • Pharmacies
  • Specialist consultants
  • Physiotherapists


How to make a medical data breach claim

Get in touch with our team to find out whether you may have a medical data breach claim. If we think that you do have a valid claim for compensation, we will act for you on a no win-no fee basis. This means you have nothing to lose by pursuing your claim, whether or not it succeeds.

Once you have given us the details of your claim, we will consider these and let you know how much compensation you could receive if you were to make a claim. You can then instruct DRM Legal to proceed with your claim and get the compensation you deserve.

If you would like to claim, fill out our claim form now or call our team to discuss your case.