By Stephen Yutani. Last Updated 18th September 2024. Suffering a breach of your medical data can have a tremendous impact on your life. It could see delays in treatment, and it could cause significant distress and worry knwing that your personal and sensitive information has been exposed. To help you understand your legal rights and options, we put together this guide on making a medical data breach compensation claim.
Below, we look at the criteria that must be met in order to begin a claim, the time limits for doing so and the evidence you could gather to support your case. We also look at what medical data breach compensation amount you could receive in your case.
If you’d like to make a data breach claim today, then get in touch. We offer free advice which you can access via the methods below:
- Call on 020 8050 3051
- Speak to an advisor using our live chat
- Request a call back via our ‘Contact Us’ form
Jump To A Section
- What Is A Medical Data Breach?
- How Could A Medical Data Breach Happen?
- What Should I Do If I Suffer A Medical Data Breach?
- Can I Claim Medical Data Breach Compensation?
- Is There An Average Medical Data Breach Compensation Amount?
- How Do I Prove My Medical Data Breach Compensation Claim?
- Claim Compensation For A Medical Data Breach On A No Win No Fee Basis
What Is A Medical Data Breach?
A medical data breach is an incident in which your medical records, or pieces of information from them, are either destroyed, lost, altered, disclosed or accessed without your consent.
We discuss examples below, but to give you an idea of how a medical data breach could happen, we can look at the case of Doorstop Dispensaree. The Information Commissioner’s Office (ICO) conducted an invetigation into the pharmacy and found serious beaches of medical data. The company stored patient records containing medical information, NHS numbers and names and addresses in unlocked crates and in bags at the rear of their property, which was accessible to some members of the public. It was estimated that 500,000 documents were involved.
This is an example of what a medical data breach is. Let’s look at how common they are.
Are Medical Data Breaches Common?
As specialists in data breach compensation claims, we also conduct our own research to see how common breaches of personal data are.
Recently, we undertook research on the number of data breaches within the NHS. We issued a Freedom of Information request to NHS Resolution and found the following:
- The total number of data breach claims made against the NHS in 2020/21 was 250.
- In 2021/22 the total numbr of claims made rose to 296.
- In 2022/23, the total number of claims rose further to 351.
- This is an increase of around 50 claims per year
- We also found that in 2021/22, the total number of compensation paid out in claims was just over £1.4 million.
- In 2022/23, the total amount of data breach compensation paid out by the NHS was just over £2.5 million.
If you’d like to see a copy of our Freedom of Information response, we’d be happy to share. Please get in touch to get a copy.
How Could A Medical Data Breach Happen?
There are many ways that a data breach can happen in a medical setting, but just because a breach occurred doesn’t mean you’ll be eligible for medical data breach compensation. As we’ve already mentioned, you need to prove that wrongful conduct occurred and that you were harmed as a result to form the basis of a valid claim.
For example, you could potentially make a claim if:
- Your GP surgery sent a letter containing your personal details, like details about your medical conditions, to the wrong postal address despite having the correct address on file. Your neighbour then has access to your personal details, causing you anxiety.
- Your ex-husband phones the clinic where you are receiving treatment and asks for your details. Instead of doing a security check, like asking for your date of birth, the receptionist gives him your current address. This causes you severe PTSD and means you need to relocate.
- A hospital sends a bulk email to all patients receiving treatment for a certain disease or disorder but does not use the BCC feature. This reveals the identities of everyone receiving treatment for that disorder, causing anxiety and embarrassment.
These are only a few examples of when you could potentially make a claim for medical data breach compensation. Keep reading for more information on the data breach claims process, or contact our team today to learn more.
What Should I Do If I Suffer A Medical Data Breach?
If a medical data breach occurs that could threaten your freedoms or rights, the organisation responsible for the breach must inform you without undue delay. They must also inform the ICO within 72 hours.
You could complain to the organisation if you suspect a personal data breach has happened but they have not confirmed it. They may not respond within three months, or their response may be unsatisfactory. You can take your complaint to the ICO if this is the case.
Communications between yourself and the organisation or the ICO could help support a claim for compensation. For example, confirmation of the breach or correspondence that proves the organisation’s failings were the cause of the breach.
It’s also important to keep an eye out for any suspicious calls, text messages or emails. Sometimes if your data has been exposed, criminals can use it to try and manipulate you into accessing the likes of your bank accounts by pretending to be someone else, such as your GP surgery.
You should also keep a close eye on the likes of your credit rating in case anyone tries to use your data to pretend to be you.
Another important thing to do after a medical data breach is to get legal advice, which we can help you with today.
Can I Claim Medical Data Breach Compensation?
Article 82 of the UK GDPR sets out the eligibility criteria for claiming data breach compensation. This includes:
- The breach must be a result of the organisation’s wrongful conduct
- The breach must involve your personal data
- You must suffer harm as a result of the breach. For example, psychological injuries such as distress, or financial harm.
Following a personal data breach, it can be helpful to seek legal advice. Specialist data breach solicitors could help gather evidence for a personal data breach claim.
Personal data is information that can be used to identify an individual. This can include a person’s name, email address, or phone number. Additionally, there is special category data which is a type of personal data that needs extra protection. This can include data concerning a person’s health, for example, medical records.
The UK General Data Protection Regulation (UK GDPR), along with the Data Protection Act 2018 (DPA), establish the responsibilities that controller’s and processor’s have to protect your personal data. A failure to do so is a breach of data protection and could lead to your personal data becoming affected in a breach.
Can I Claim Compensation If NHS Staff Accessed My Medical Records Without My Consent?
In some cases of medical data breaches, the cause of the incident may have been NHS staff accessing your medical records without your consent.
For example, if someone you know works in the NHS and recognises you when you attend for an appointment, they could abuse their position to check your records to see why you attended.
This happened to the famous singer Ed Sheerhan back in 2018. When attending Ipswich Hospital for broken bones, some curious hospital staff accessed his records without authorisation. One member of staff involved was dismissed.
How Long Do I Have To Claim Compensation For A Medical Data Breach?
When seeking medical data breach compensation, you generally have six years to begin the claims process.
If you would like more details regarding the data breach claim time limit, please get in touch with an advisor from our team. They can also provide further guidance on whether you could be eligible to pursue a claim.
Is There An Average Medical Data Breach Compensation Amount?
Given that every case is unique, it’s difficult to state an average medical data breach compensation amount.
Payouts in cases can vary depending on the facts of the case and the impact the breach has had on those impacted.
A compensation amount can account for two types of damage or loss.
Firstly, compensation can be awarded for the non-material damage you have suffered. This refers to the mental harm you have sustained as a result of the data breach. For example, you could experience distress, anxiety, depression or post-traumatic stress disorder (PTSD) due to a data breach.
The second is material damage, which relates to finances. We explain more on this in the section below. .
While we can’t offer an average compensation payout here, we’ve included a table of guideline award brackets from the Judicial College Guidelines (JCG). Solicitors can use the JCG to aid them when valuing claims. However, these amounts should only be used as guidance. This is due to every claim being unique, meaning your payout could differ depending on your unique circumstances.
| Type pf Harm | Severity | Compensation Bracket - Guideline | Details |
|---|---|---|---|
| Severe Mental Harm With Financial Losses | Severe | Up to £250,000+ | A combination of severe mental harm with financial losses like the cost of counselling |
| Mental Harm | Severe | £66,920 to £141,240 | The person will experience marked problems with respect to their ability to cope with life, education and work as well as the effect on their relationships with family and friends. They will have a very poor prognosis. |
| Mental Harm | Moderately Severe | £23,270 to £66,920 | The person will experience significant problems with respect to the issues mentioned in the above bracket but they will have a better prognosis. |
| Mental Harm | Moderate | £7,150 to £23,270 | A significant improvement has been made and the person will have a good prognosis. |
| Mental Harm | Less Severe | £1,880 to £7,150 | The award for this bracket will be valued by considering the timescale of disability and how it impacted the injured person's life. |
| Reactive Psychiatric Disorder | Severe | £73,050 to £122,850 | There will be permanent effects preventing the injured person from functioning at the same level as before the trauma. As such, all parts of their life will be badly affected. |
| Reactive Psychiatric Disorder | Moderately Severe | £28,250 to £73,050 | A better prognosis will be achieved with the assistance of a medical professional. Despite this, the effects are still likely to cause a significant disability for the foreseeable future. |
| Reactive Psychiatric Disorder | Moderate | £9,980 to £28,250 | There may be ongoing issues but these won't be majorly disabling and the injured person will have largely recovered. |
| Reactive Psychiatric Disorder | Less Severe | £4,820 to £9,980 | An almost complete recovery is made within 1-2 years. There are symptoms that persist over a longer period but these are minor. |
These figures come from the 17th edition of the JCG, published in 2024.
What Else Could I Be Compensated For?
You could also be awarded compensation for material damage caused by the data breach. This refers to the financial losses that you have sustained as a result of the data breach.
For example, if you attend a private hospital, you may be required to pay for your care. As such, they may process your financial information, such as your debit or credit card details. If these are compromised in a breach, it could lead to you having money stolen from your bank account or loans being taken out in your name.
If you are wondering how to claim compensation for a data breach and the settlement you could be awarded, please contact an advisor from our team.
How Do I Prove My Medical Data Breach Compensation Claim?
There are several pieces of evidence you could gather to support your medical data breach compensation claim. For example, you could:
- Collect correspondence between yourself and the organisation responsible for the breach. For example, emails or letters detailing how it occurred and what data was affected.
- Have any psychological injuries checked by a doctor and request a copy of your medical records.
- Provide evidence of any financial losses incurred due to the breach via your bank statement or credit score report.
Additionally, the Information Commissioner’s Office (ICO), an independent watchdog that upholds data protection laws, can carry out investigations and take enforcement action against organisations who have breached data protection laws. If you make a complaint to them and they choose to investigate, you could use their findings as evidence to support your case.
If you’re unsure how to collect evidence, you should call an advisor using the number above. They could connect you with a solicitor from our panel, provided you have valid grounds to seek personal data breach compensation.
Claim Compensation For A Medical Data Breach On A No Win No Fee Basis
A No Win No Fee solicitor from our panel could support you if you have valid grounds to start a medical data breach compensation claim. They can guide you through each step of the process, such as gathering evidence.
Furthermore, they could offer you a Conditional Fee Agreement (CFA). Under this type of agreement, you aren’t typically required to pay for the services your solicitor provides upfront or while your claim is being processed.
There are also usually no fees to be paid for your solicitor’s services if your case is not successful. However, if your claim is a success, you will pay what’s called a success fee. Your solicitor will subtract a small, legally capped percentage of your compensation to cover their payment. The legal cap is in place to ensure that you get to keep the majority of your compensation.
To learn more about working with one of the No Win No Fee data breach solicitors on our panel, please get in touch with our advisors today. They can assess your eligibility to claim and they may also be able to estimate what medical data breach compensation amount could be awarded. To reach our team, you can:
- Call us on 020 8050 3051
- Speak to an advisor using our 24/7 live chat
- Or request a call back via our ‘Contact Us’ form
Learn More About Claiming Medical Data Breach Compensation
We have included some more of our guides that may be of use to you:
- How to report a data protection breach in the UK
- Can I claim if my information was involved in a data protection breach?
- Sharing my personal information without consent
Additionally, we have provided you with further guides related to a data breach claim:
Thank you for reading this guide on when you could be eligible to seek medical data breach compensation and how much you could be awarded. If you have any remaining questions, please do not hesitate to get in touch.