GP Data Breach Compensation Claims Experts

100% No Win, No Fee Claims
Nothing to pay if you lose.

  • Free legal advice from a friendly solicitor.
  • Specialist solicitors with up to 30 years experience
  • Find out if you can claim compensation Call 0800 073 8804

Start My Claim Online

GP Data Breach Compensation Claims Guide

By Daniel Archer. Last Updated 22nd February 2023. This guide will explore when you could be eligible to claim following a GP data breach.

GP data breach claims guide

GP data breach claims guide

The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA) set out the responsibilities a data controller and data processor has to protect your personal data. Each party has a different role with the controller deciding on the purpose for processing and the processor acting on the controller’s instruction.

If either fail to adhere to data protection laws resulting in your personal data being breached and causing you to suffer financial loss or emotional harm, you could be eligible to seek data breach compensation. We will explore this further in our guide.

We’re here to help you if you would like to claim for a data breach by your GP. Our advisors provide free advice for any potential claimant after providing a no-obligation assessment of the case. Should there be enough evidence to support a claim, you’ll be referred to one of our experienced No Win No Fee solicitors.

To speak to our advisers about data breach claims, you can call us on 0800 073 8804. You can also contact us online using our claim form or our live chat service. Alternatively, please continue reading to find out how we are able to help data breach victims.

Select A Section

A Guide To Data Breach Claims Against Your GP Surgery

If you visit a new website for the first time, you’ll no doubt click ‘agree’ on the pop-up box that refers to internet cookies. What you’re actually doing is giving permission to the website to collect data from you and use it for different purposes. The pop-up box is there to help them fulfil their duties under GDPR regulations.

When you see your doctor, on occasions you may be asked to fill in a questionnaire, either electronically or on paper. Many of these forms will have a section about sharing your data with other NHS departments or other organisations. That section is the same as the pop-up box on websites and is used so that the GP surgery has met some of its GDPR responsibilities.

It’s important that the staff at the surgery only use the data in line with your instructions. For instance, if you permit your data to be shared with social services but not with mental health teams, then your requests must be adhered to.

During this article, we’ll review why a GP surgery data breach might happen, when that could entitle you to compensation and potential amounts that could be paid.

We should inform you that most GDPR claims have a one-year time limit to start if the organisation you wish to claim against is a public body. If you’re looking to claim against a different type of organisation, then the time limit for starting a data breach claim is usually six years instead.

In either case, there are many reasons why you should start the claim as early as possible. One is that you’ll find it a lot easier to remember key events in the weeks and months after you found out about the breach.

If you’d like to discuss how Legal Expert could help you start a data breach claim against your GP, please get in touch with us today.

What Is A GP Surgery Medical Data Breach?

Data breaches happen when information that contains personal data is disclosed, accessed, destroyed or lost in ways that you’ve not permitted. A data breach could relate to confidential or sensitive information, such as your medical records, being disclosed to parties who should not have seen it. Compensation for a data breach could be possible whether the breach was accidental or deliberate.

When we talk about a medical data breach, we often jump to the conclusion that computers are involved. However, a GDPR breach is possible where printed or written documentation has been accessed inappropriately as well.

For instance, a breach will have happened if your medical records were viewed by unauthorised contractors or visitors to the GP surgery because they weren’t locked away.  Another example could be where a letter containing sensitive information intended for you was posted or emailed to the wrong patient.

If you find out that your data has been compromised because the GP surgery has told you about the breach or if you found out in another way, why not call us to discuss if you have a valid data protection compensation claim?

GP Data Breach – Evidence To Support Your Claim

If you’ve suffered psychologically or physically due to a medical data breach, compensation could be owed to you.  As part of the process of making a claim, you need to be able to present evidence. Below, we’ve included a short list of examples.

This list is not exhaustive, and there may be other ways of supporting your claim, depending on your circumstances.

  • Medical records – For example, you could attend a medical assessment if you have been affected emotionally by the breach. Copies of your medical records can help prove any stress, distress or anxiety you have suffered.
  • Letter of notice/emails – It’s vital you keep hold of any correspondence from the person or body who notifies you of a data breach. You should ask for the notification in writing if the initial report is given to you over the phone or in person.
  • Financial records – For example, you could provide copies of bank statements, credit card statements and payslips which could show any lost earnings if you have needed to take time off work due to the stress the personal data breach has caused you.

To find out more about evidence or how to make a claim for a medical data breach in the UK, get in touch with our advisors today.

How Could A GP Surgery Breach Data Protection Laws?

As mentioned earlier, it’s quite common that when we think about NHS data breaches that we think of cyberattacks against computers holding our data. However, making a data breach claim against a GP is more likely to be required because of a human error.

Although the GDPR is a relatively new law, data protection isn’t a new phenomenon. This means that GP surgeries will have had processes and methods in place before GDPR that had to be updated when the new regulations came into force.  That said, GP surgery staff who have access to personal information should be fully trained on their new obligations to try and ensure data remains safe.

Here are some examples of scenarios that could lead to a GP data protection breach:

  • Sensitive personal information is emailed or posted to the wrong patient.
  • Losing or leaving medical records lying around meaning there’s a potential for unauthorised access.
  • Where unauthorised staff, with no medical reason to do so, access your records.
  • Supplying your medical records to unauthorised organisations.
  • Network or computer attacks such as ransomware, malware or viruses.
  • Staff leaving their computers unlocked while away from their desk.

In some cases, you’ll never find out about a data breach if the GP surgery doesn’t identify that it’s happened. However, if they become aware of a breach, they should get in touch with you, let you know what happened and what information was accessed.

If you’ve found out about a data breach by a GP surgery that has affected you, and you’d like to find out if you might be compensated, please contact our team of specialists for free legal advice today.

Examples Of ICO Data Breach Fines Against GP Surgeries

In this section of our article, we’re going to look at data breaches by GP surgeries which have been reported in the media.

In the first example, a company who provides software to GPs to allow them to carry out video consultations was alerted to the fact that a patient had been able to view up to 50 consultation recordings of other patients through the GP at Hand app provided by Babylon Health.

Fortunately, the company acted quickly to establish the software bug, which was caused by a new feature and fixed the problem within 2 hours. However, as well as the original report, Babylon Health also established that two more patients had been presented with the list of consultations but did not access them.

Babylon Health’s data protection officer had reported the incident to the ICO, and the original complainant did as well. The ICO provided the company with advice on the data breach and went on to say “…not only do people expect it to be handled carefully and securely, organisations also have a responsibility under the law.”


In our second example, Bayswater Medical Centre (BMC) in London was fined £35,000 by the ICO for leaving personal medical records, identifiable medicines and prescriptions unsecured when it vacated its property in 2015.

When another GP surgery took over the property, it told BMC about their findings and they were also warned by a local Clinical Commissioning Group but still failed to secure the records. When NHS England visited the site and found a large amount of data in bins and unlocked cabinets, the ICO was informed.

The ICO originally ordered an £85,000 fine due to the amount of data but reduced this in line with BMC’s ability to pay.


Do I Need To Report A Medical Data Breach To The Information Commissioner’s Office (ICO)?

If you find out about a medical data breach in the UK, you might decide that you want to begin a compensation claim for any harm caused. However, doing so might not be that straightforward if you don’t have evidence to prove what happened.

What you could do, in the first instance, is contact the GP surgery directly and ask what happened. This might result in an admission of guilt or the surgery could deny any wrongdoing. If you’re not happy with the outcome you may wish to report the data breach to the ICO directly.

You should be aware that the ICO won’t usually be interested in cases that have taken a long time to be brought to their attention. Generally, you need to make contact with the ICO within 3 months of the last meaningful contact you had with your GP for them to investigate the matter.

What we should tell you though is that a complaint to the ICO or the GP surgery directly will not result in a compensation payment. While the ICO can dish out data breach fines, you’ll need to make a claim against the surgery directly if you wish to be compensated. That said, the findings of an ICO investigation, or a formal complaint to the GP, could help prove that the breach occurred.

If 3 months have passed since you last had meaningful contact with the GP surgery, we’d advise that you contact our team of specialist solicitors. It’s sometimes possible that they can settle a claim directly with the GP surgery without having to contact the ICO.

In other cases, they might advise that an ICO investigation is required to help prove what happened. Please contact us today so that we can assess how to progress your claim for free.

What Could I Claim For In GP Surgery GDPR Data Breach?

So far, we’ve tried to answer the questions, “Can I sue for a GDPR breach?”, and “Can I sue a GP for breach of confidentiality?” Now that you understand claims are sometimes possible, we’re going to look at what you can include within the claim. In general, your solicitor will look to claim for:

  • Non-material damage such as psychological damage, anxiety or emotional distress.
  • Material damage such as financial losses caused by the data breach i.e. where the breach led to identity theft.

Unlike other types of compensation claims, you could ask for compensation for a data breach even if there has been no suffering caused. However, each and every case is different so your claim will need to be assessed by one of our specialist solicitors before you’ll know exactly what you could claim for.

The impact of the data breach is one thing your solicitor will need to look at before submitting your claim. For instance, if your data has been sold through criminal channels, there might be an effect on your credit file that lasts for many years.

With regards to stress, an assessment needs to be made as to the impact the distress, anxiety and confusion have had on your relationships with family and friends or your ability to work.

As you’ll no doubt of noticed, claiming for a data breach can sometimes be a complex task. It’s important that everything you’re entitled to be claimed for at the same time as, once you’ve settled your claim, you can’t go back and ask for additional compensation.

Why not let one of our experienced solicitors manage your claim for you to make the whole process easier? Please call today if you’d like to discuss your options.

Unauthorized Access To Patient Medical Records In The UK – What Else Could I Claim?

Unauthorized access to patient medical records in the UK could potentially lead to a claim if you could prove it was caused by the failings of the organisation in question. In a successful data breach claim, your compensation for a breach of confidentiality could include awards for both material and non-material damage.

Material damages relates to financial losses, while non-material damages relate to psychological suffering. Potential settlement amounts for non-material damage is shown in the table above, but material damages could include:

  • Loss of earnings
  • Cost of treatment such as therapy
  • Any money lost as a result of your debit card details being exposed in a breach, for example

You can reach out to our solicitors to support you in your claims process.

Estimating Compensation For A Data Breach Claim Against Your GP

If you have grounds to make a data breach claim against your GP, you may be asking questions such as ‘how much compensation will I get for a data breach?’. You may be seeking a data breach compensation calculator to help answer this query. Within this section, we’ll explore potential compensation amounts for a data breach claim.

The basis for claiming compensation for some cases was established by the Court of Appeal case of Vidal-Hall and others v Google Inc [2015]. It was decided there that it is possible for claimants to seek compensation for a data breach even if they didn’t sustain a financial loss. It was also decided that compensation should be awarded in line with personal injury compensation payments in relation to psychiatric injuries.

The table below shows some compensation brackets for relevant injuries that are based on a document called the Judicial College Guidelines (JCG).

Type of Suffering Severity Compensation Bracket Compensation Information
Post-Traumatic Stress Disorder (PTSD) Severe £59,860 to £100,670 This bracket is used when the all aspects of the claimant’s life have been badly affected. This could include permanent symptoms which mean the injured person is unable to work at all or where they can’t function at anything like pre-trauma levels.
Post-Traumatic Stress Disorder (PTSD) Moderate £8,180 to £23,150

This category cover cases where the claimant has just about fully recovered and where continuing symptoms aren’t grossly disabling.
Psychiatric Damage Moderately Severe £19,070 to £54,830

This bracket is for cases where there is a significant impact on the claimants ability to cope with education, life or work and to manage relationships. However, the prognosis will be relatively optimistic.
Psychiatric Damage Moderate £5,860 to £19,070 In this category, the symptoms will have been similar to above but there will have been some good progress, a marked improvement and a good prognosis.

As you can see, the JCG brackets can vary based on the severity of your suffering. Solicitors assisting with a claim you make may use the JCG brackets for reference when calculating the value of your psychological injuries. To help prove the true extent of your suffering, your solicitor will arrange for a local medical assessment to be conducted within the claims process. As a result of the medical specialist’s findings, a report will be written and sent to your solicitor.

Due to the fact that psychiatric injuries affect people differently, the figures listed in our table should be used as guidance only. Once your claim has been assessed by a solicitor, you’ll be provided with a more personalised compensation figure that they hope to achieve for you.

No Win No Fee Data Breach Claim Against Your GP

Many people don’t ever go on to start a data breach claim because they’re concerned about how much the process will cost them. Well, to alleviate a lot of the financial risk and to reduce stress levels too, our team of solicitors provide a No Win No Fee claims service for any case they accept.

The first part of the claims process is where the solicitor will check that the claim is viable. Then, when both parties are happy, a Conditional Fee Agreement (CFA) will be prepared.

The CFA is the method by which your claim will be funded. It provides some key benefits including:

  • No upfront charges.
  • There are no solicitor’s fees payable during the claims process.
  • If the claim is lost, you don’t have to pay any of your solicitor’s fees.

In the CFA, you’ll find a section about a success fee. This is a small percentage of your compensation retained by the solicitor if they win your case. The exact percentage, which is capped by law, is listed clearly so that there are no surprises when the claim is finalised.

To check if you’re able to claim using a No Win No Fee agreement, please discuss your case with a member of our team today.

How To Find A Lawyer Handling Data Protection Breach Claims

There are a number of ways that you could find a solicitor to take on your data breach claim. You could ask a friend, find local solicitors on the high street or read online reviews. Alternatively, to save you a lot of time, you could contact Legal Expert and let one of our specialists work for you.

Our team of solicitors have decades of experience handling all sorts of claims and offer a No Win No Fee service for all cases they take on. Please check the following section for information on how to begin your claim with us.

Contacting A Lawyer About Your Data Breach Claim

To start a claim with Legal Expert today, you can:

Data Breach Solicitors

Regardless of where you’re based, we can help you claim data breach compensation. Please see below for some of our dedicated guides:

Police Data Breaches

Other Useful Guides

Extra Resources

Here are some additional guides and resources which might prove useful when researching your claim:

GP Complaints – Advice on how to make a formal complaint about a GP.

GDPR Legislation – This link contains a PDF document containing the full 88 pages of GDPR legislation.

GP Ratings – Details on how the Care Quality Commission rate GP practices

Medical Negligence Claims – Guidance on claiming compensation for suffering caused by medical negligence by a GP.

NHS Claim Time Limits – A review of the time limits that apply in different cases when suing the NHS.

Professional Negligence Claims – Advice on how to claim compensation when professional advice has caused you harm.

Ticketmaster Data Breach – A useful guide on claiming compensation following a data breach.

Can I get compensation for loss of medical records? Find out here.

Can I claim compensation for a passport data breach? Learn more here.

You can also check out our guide on claiming for Unauthorised Access To Patient Medical Records in UK hospitals. We also have a guide on Claiming Compensation For Loss Of Medical Records. If you would like to speak to an adviser about making a data breach claim against your GP, then please get in touch with Legal Expert using the contact details within this guide.

    Contact Us

    Fill in your details below for a free callback

    Meet The Team

    • Patrick Mallon

      Patrick is a Grade A solicitor having qualified in 2005. He's an an expert in accident at work and public liability claims and is currently our head of the EL/PL department. Get in touch today for free to see how we can help you.

      View all posts