We've been featured in:

  • bbc logo
  • daily mail logo
  • itv logo
  • skynews logo

My Employer Exposed My Mental Health Information In A Data Breach – Can I Claim Compensation?

Last updated 30th April 2025. If you experienced a mental health information data breach at work, your employer might owe you compensation.

'Data breach' written on a pink button on a computer keyboard.

It is normal for employers to collect personal data about their staff, this does not always include medical data as very often unless your job is impacted you would not necessarily have to divulge such information. However, under the UK General Data Protection Regulation (UK GDPR), and the Data Protection Act 2018 employers must safeguard the personal or sensitive data they collect. So, if an employer data breach occurs, due to positive wrongful conduct, which caused you harm, you may be eligible to make a claim.

So, if your employer breached your private mental health information, don’t hesitate to get in touch with Legal Expert today. We can provide you with a skilled solicitor to handle your data breach claim. What’s more, you will have the option to make a No Win No Fee claim.

To begin your claim, please call us on 0800 073 8804. Alternatively, use our form to begin your claim online by filling in our contact us form.

Select A Section

What Is A Mental Health Information Data Breach?

A personal data breach is a security incident that compromises information that can identify you on its own or in conjunction with other data. This data can also be of a sensitive nature.

The Information Commissioner’s Office (ICO) is a non-departmental governing body of the UK government that oversees the implementation of data security laws.

How can a personal data breach occur:

  • An organisation loses, alters or encrypts personal data
  • Or the organisation destroys the personal data by not using the proper channels
  • Your personal information is sent to the wrong recipient
  • An online database containing personal information is hacked because there are no security defence systems in place.

Mental health information data breaches caused because employers have failed to put the correct procedures in place to secure this data can have very far-reaching ill-health consequences for those involved.

What effect can a mental health data breach have on you? You may have experienced emotional distress and stress if your medical history has been exposed. Moreover, the stress caused by the data breach may have exacerbated your mental health disorder.

How Often Do Data Breaches Happen In The Workplace?

Data from the UK government’s Cyber Security Breaches Survey 2021 which interviewed 1,419 UK businesses, 487 UK charities and 378 education institutions between 12 October 2020 to 22 January 202 indicate that:

  • Four in ten businesses experienced a cyber security breach or attack.
  • A quarter of charities had experienced a cyber security breach or attack during this period.
  • Organisations reported that the most common cause of cyber-security incidents is phishing attacks. The second most common problem is impersonation scams.

How To Report A Data Breach By Your Employer

If you suffer a mental health information data breach at work, then if it puts at risk your rights and freedoms the company must report the data breach to the ICO. They also must inform you without undue delay. After that, the ICO may investigate the data breach and may fine the organisation.

But what should you do if you discover a breach of your medical information at work? Firstly, you can send a letter to whoever in the organisation that deals with the data security asking them has your personal information been breached. If you are not happy with the response you can make a complaint to the ICO. You will need to do this within 3 months of your last communication with the organisation about the data breach.

How Can An Employer Expose Your Mental Health Information?

Some data breaches are intentional, but many are accidental. Let’s look at how a mental health information data breach could happen at work.

Unintentional Data Breaches

Sadly, human error is the cause of many data breaches. For example, a manager could send an email to the wrong employee which contains your medical information, such as medical data records about your mental health.

A lack of staff training or internal data handling processes can also cause accidental data breaches. For example, a receptionist may leave a file on a public-facing desk that contains confidential information about an employee’s mental health and well being. Therefore, unauthorised persons would be able to access the data.

Organisations can avoid unintentional data breaches with robust internal processes and invest in staff training.

Intentional Data Breaches

Poor cyber security systems that are not updated or risk assessed can mean that hackers can gain access to online files and records. These files may contain employee health data. If the hacker is successful this may mean personal and sensitive information has been exposed. It is vital for any data controller to ensure that digital files are secure with the most robust online data security systems in place.

An organisation could be held liable for the data breach if there was no adequate security system to protect the data.

What Mental Health Information Could Employers Hold?

As we have mentioned, data concerning health is considered special category data under the UK GDPR. Therefore employers need to add extra protection if they are to handle or process this type of information.

Employees may choose to inform their employers of any health conditions. Especially if there needs to be adjustments made to the way they work. Therefore an employee may tell their employer about:

  • Personal mental health issues
  • Any information about their mental health disorder
  • Information about the mental health services they use
  • Data regarding the treatment of mental health conditions

What Evidence Do I Need To Make A Data Breach Claim?

If your personal data has been subject to a mental health information data breach, these types of evidence will best support your claim:

  • Report findings from the ICO. You can report a data breach to the ICO within 3 months of your last meaningful communication with the party responsible for the breach of mental health data in the workplace. The ICO can then choose to investigate this breach, and their findings can be used as evidence. 
  • Medical records and a diagnosis letter from a psychiatrist to prove your psychological suffering. 
  • Payslips, invoices, receipts, and bank statements to prove any financial losses the data breach has caused. 
  • A notification letter to prove the data breach occurred. 
  • Copies of any correspondence you’ve had with the party responsible for the mental health data breach at work. Your correspondence might show how the data breach occurred, what data was compromised, and what steps are being taken to prevent a similar data breach from occurring again. 

If you connect with one of our specialist data breach solicitors, they can help you collect the above evidence. 

If your employer breached mental health data about you, please contact us as soon as is best for you.

Check What You Could Claim For A Mental Health Information Data Breach

There are two types of compensation you can claim for if your mental health information data breach claim is successful:

  • Material damages can compensate you for the costs or monetary losses associated with the data breach.
  • Non-material damages compensate you for the emotional distress or psychiatric injury your data breach has caused.

You can use our table to estimate how much your non-material damages claim could be worth. We used the Judicial College guidelines (JCG) to create this table (only the top figure isn’t from this document). Data breach solicitors use this information to help them value compensation claims. But, please bear in mind that this table is for guidance only.

Type Of Harm SufferedSeverityPossible Compensation
Multiple types of severe psychiatric harm plus material damageSeriousUp to £250,000+
Psychiatric DamageSevere (a)£66,920 to £141,240
Moderately severe (b)£23,270 to £66,920
Moderate (c)£7,150 to £23,270
Less severe (d)£1,880 to £7,150
PTSDSevere (a)£73,050 to £122,850
Moderately severe (b)£28,250 to £73,050
Moderate (c)£9,980 to £28,250
Less severe (d)£4,820 to £9,980

However, please note that many factors determine how much a compensation claim is settled at. Feel free to call our claims helpline today, and an advisor can let you know how much money you could be owed.

Check If You Could Make A No Win No Fee Claim

Have you thought about how you may fund the services of a solicitor if you choose to hire legal representation. You could enter into a No Win No Fee arrangement with a solicitor. This would mean you both would sign a Conditional Fee Agreement (CFA). The CFA states the terms and conditions on what basis the solicitor will be paid a success fee.

There are no upfront fees to pay for the solicitor to begin work on your data breach claim. Instead, you will agree to pay a success fee if you win.

The success fee will be deducted from your compensation payout if your claim is successful. If for some reason your claim fails there is no success fee to pay the solicitor, hence, No Win No Fee.

Please get in touch with us today to begin your sensitive data breach compensation claim:

  • Call our claims helpline on 0800 073 8804
  • Use the Live Support widget to enquire about claiming
  • Or you can claim online, using our contact us form.

Learn More About Data Breaches

We have plenty of online resources about data breach claims.

School Data Breach Compensation Claims Guide

Can I Get Compensation For Loss of Medical Records?

HR Data Breaches Compensation Claims Guide

An ICO guide about the  possible outcomes of a data breach claim.

A guide from the UK government on avoiding Phishing scams

An ICO guide to personal data breaches

We hope this guide has helped inform you about mental health information data breaches.

Guide By Cheleache

Edited By Melissa.

Meet The Team

  • Patrick Mallon legal expert author

    Patrick Mallon (BA, PgDl) is a Grade A personal injury solicitor and head of our EL/PL department, which handles accidents at work and public liability claims, such as slips, trips and falls. He qualified in 2005 and has over 20 years of experience. Patrick is an expert No Win No Fee lawyer and well-known for his successful case, Billie Mae Smith v McDonalds. You can learn all about Patrick, his qualifications and his experience as a solicitor here. Get in touch today for free to see how Patrick and the team can help you.

    View all posts Personal Injury Solicitor