Medical Data Breach Compensation Claims Guide – How Much Compensation Can I Claim? – Amounts For Medical Data Breach
By Stephen Frost. Last Updated 25th August 2021. Welcome to our guide on medical data breach compensation claims. Within this guide, we’ll answer questions such as ‘how much compensation for a data breach?’. We’ll also look at potential data breach compensation amounts by considering some data breach compensation examples.
When you visit medical facilities like a dental practice, GP surgery, pharmacy or hospital, you’ll probably need to provide information about yourself or update information that’s already held on file.
When you supply that information, it’s important that the medical service provider stores it safely and doesn’t use it in ways that you’ve not authorised them to. In this guide, we will explain when you could claim compensation for a medical data breach. We’ll consider what could cause one to happen, the harm that it could lead to and when you might be entitled to make a claim.
What Is A Medical Data Breach And How Do I Claim Compensation?
Following the introduction of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018, the Information Commissioner’s Office (ICO) has been able to fine organisations that breach data rules. Below, we’ll provide some examples of penalties that have been issued after the misuse of medical data.
Our team of friendly advisors can help if you decide you’d like to make a claim. We provide free legal advice on any claim following a no-obligation assessment of what’s happened. If your case appears to merit compensation, you could be referred to a specialist solicitor who’ll work for you on a No Win No Fee basis if your claim is accepted.
To find out more about how Legal Expert can help, please call us on 0800 073 8804 today. Alternatively, you’ll find more information on medical compensation claims throughout the rest of this guide.
Select A Section
- A Guide To Medical Compensation Claims
- What Is A Medical Data Breach?
- What Could Be The Impacts Of Medical Data Breaches?
- Types Of Medical Data Breach Incidents You Could Be Impacted By
- Who A Medical Data Breach Claim Could Be Made Against
- NHS Medical Data Breach Compensation
- Private Medical Practice Compensation
- Examples Of Fines The ICO Has Issued For Medical Data Breaches
- What Financial Losses Or Distress Could You Claim For?
- Valuing Your Medical Data Breach Compensation Claim
- How To Report A Medical Data Breach To The Information Commissioner’s Office
- No Win No Fee Medical Compensation
- Speak To Our Experts
- Quick Data Breach Resources
A Guide To Medical Compensation Claims
When you visit a doctor, dentist, optician or pharmacist, you need to have complete faith that their medical expertise will mean you’ll be treated correctly. You also have faith that the procedures and systems they’ve put in place to manage data will mean that your personal or sensitive information doesn’t end up in the wrong hands. While that’s often the case, mistakes can happen, which means you might need to make a medical data breach claim.
When you visit a medical facility for treatment or when you register with them, you’ll probably need to complete some paperwork. Within the forms you’ll fill in, you will probably see some questions or tick boxes relating to the use of your personal information.
The answers you give will determine how the organisation in question can use data about you, including sharing it with other organisations. One of the key rules of the GDPR is that, once your preferences have been collected, they are adhered to.
What is the time limit in which to file a compensation claim?
If you want to make a data breach compensation claim, you’ll need to do so within the relevant time limits. In general, data breach claims need to be submitted within six years. For claims relating to a breach of your human rights, that time limit is reduced to just one year.
Although six years does seem to be a large amount of time to make a claim, our advice is to start as early as possible. We find that claimants find it much easier to remember what happened and the effects of the data breach in the months after they found out about it rather than four or five years down the road. Moreover, your solicitor will probably find it’s easier to get hold of supporting evidence if the event has only happened recently.
What Is A Medical Data Breach?
In the GDPR, a personal data breach is listed as a security breach that results in personally identifiable information being lost, destroyed, altered, disclosed or accessed in ways that you have not previously authorised. Whether the act was deliberate, accidental, or illegal does not matter – you could still go on to make a compensation claim for the harm caused.
Importantly, data breaches don’t have to involve digital information. They are just as likely to involve physical printed documentation. For instance, a breach could happen if medical records containing personal information are thrown into the bins rather than shredded securely.
You should be informed of a data breach if a medical organisation discovers one has taken place. They should let you know what happened when the breach occurred and what information was accessed.
What Could Be The Impacts Of Medical Data Breaches?
If your house was broken into and documents containing your personal information were stolen, you’d feel a lot of anger, stress and anxiety about how that information might be used.
The same feelings are likely when you find out about a medical data breach involving your private information. In serious cases, it’s quite possible that the impact of a breach could lead to you struggling to cope with many aspects of everyday life. In addition, the distress caused by a data breach could mean your job is affected, or your relationships with friends, colleagues and family could all suffer. This could result in a diagnosed psychological condition, like post-traumatic stress disorder, stress or anxiety.
As well as the medical impact of this type of incident, there could be a financial impact. In fact, some effects might not be noticed until months or even years have passed since the breach took place. That could be the case if your personal or sensitive information ends up in the hands of criminals who use it to apply for credit or even blackmail you.
Types Of Medical Data Breach Incidents You Could Be Impacted By
There are a fair few scenarios that could lead to your personal medical information being exposed. Here are some examples:
- When non-medical staff read your records because a computer terminal is left unlocked.
- If documentation containing identifiable information is not disposed of securely.
- Where NHS staff access your medical records when there is no medical reason for them to do so.
- If a letter intended for you is emailed or posted to the wrong address.
- If the medical computer system is hacked or infected with malware, ransomware or spyware.
- A medical organisation uses data containing your information in a trial of which you were not made aware.
- If your prescription is given to the wrong patient and they’re able to identify you.
This is just a small sample of the types of incidents that could lead to a medical data breach compensation claim. If you suspect your information has been leaked and you’ve suffered as a result, please get in touch with our team today.
Who A Medical Data Breach Claim Could Be Made Against
Within the GDPR, the role of the data controller is defined as the organisation or individual who defines why your personal information is required and how it will be processed. Usually, the data controller will be investigated by the ICO if there is a breach, and they will usually be the party you would sue. That said, it is also possible to claim against the data processor as well.
Here is a list of those who could be sued for a GDPR data breach:
- GP surgeries.
- Dental surgeries.
- Hospitals or the NHS Trust which runs them.
- Individual healthcare staff.
- Private health companies.
NHS Medical Data Breach Compensation
In reality, nobody wants to claim against the NHS. It is a wonderful organisation that helps patients up and down the country every day, even in the current tricky climate.
However, if you’ve been the victim of a data breach that has caused you harm, you might need to seek compensation to help aid your recovery both financially and psychologically. NHS Trusts, doctors, dentists and other service providers usually pay a premium each year to cover any such compensation cases, so you shouldn’t feel pressure not to start a claim if you’ve been wrongfully harmed.
Here are some examples of parts of the NHS you could claim against:
- GP practices.
- NHS Trusts or a specific hospital.
- Dental surgeries.
- Opticians or the company that operates the practice.
Please see our guide on making an NHS data breach claim for more information.
Private Medical Practice Compensation
It’s important to point out that it’s not just NHS facilities that have a duty to protect your data. Private healthcare companies have the same legal responsibility to secure any information you provide them. Failure to do so could mean you’re entitled to claim against an individual practitioner or the private healthcare company that employs them.
Examples Of Fines The ICO Has Issued For Medical Data Breaches
In this section, we’re going to provide a few examples of data breaches that have meant the ICO had to step in and conduct an investigation:
- An NHS Trust was fined £180,000 after a sexual health clinic in London sent an email to around 800 patients who’d attended an HIV clinic. The fine was issued because every recipient could see everybody else’s email address and name. This meant there was a real risk of patients identifying others and the fact that they could be HIV positive.
- In a similar case, a gender identity clinic in London sent an email to around 2,000 people on its mailing list. The same mistake was made where the CC field was used instead of the BCC field, meaning every recipient could see the email address and name of everyone else who had received the email.
- A pharmacy in London was issued a £275,000 fine because it had stored 500,000 pieces of documentation containing personally identifiable patient information in unlocked containers at the back of its premises.
If you’d like to read more about the Information Commissioner’s Office’s action about data protection breaches, please click here.
Data Breach Statistics
The Information Commissioner’s Office (ICO) provide new data breach statistics every quarter. Now, these cover January-March 2021. And the figures are eye-opening, especially considering the number of data breaches in the top five business sectors within the United Kingdom.
So, in total, there were 2,425 data breach incidents when combining non-cyber security and cybersecurity incidents. The five most prevalent areas are education and childcare, health, land or property services, local government, and retail and manufacturing.
For education and childcare, there were 342 breaches when combining non-cyber and cybersecurity breaches. The ICO’s figures also note 420 breaches for the health sector and 112 for land or property services. Not to mention 239 for local government (a particularly concerning statistic) and 231 for retail and manufacturing.
There are also various forms of data breaches for each area. So, the non-cyber incidents include altering personal data, emailing data to the wrong person or incorrect data subjects for client portals, and posting or faxing data to the wrong recipients.
A failure to redact or use blind carbon copies in emails is also prevalent, along with incorrectly disposing of hardware and paperwork. Furthermore, there’s the loss or theft of devices with personal data and paperwork and leaving data in areas that aren’t safe.
Other examples include access without authorisation and verbally disclosing the presence of personal data.
Cyber incidents include brute force, denying services, misconfiguring hardware or software, malware, phishing, and ransomware. All of these make up the four-figure total number of data breaches across UK businesses during the first three months of 2021.
The figures for the aforementioned top five most-affected businesses can be seen in the graph below.
If you’ve been impacted by something described above, you could be entitled to data breach compensation. Get in touch with our team today to learn more.
What Financial Losses Or Distress Could You Claim For?
When you claim problems caused by a data breach, it will usually be broken down into two parts:
- Material damages claims are made to recover any financial losses that have occurred as a result of the breach.
- Non-material damages claims are used to compensate you for any diagnosed psychological injuries.
There are a lot of things to consider before submitting your claim, though. For instance, if you’re asking for compensation for financial losses, your solicitor will probably consider future losses that could be incurred too. That could be the case if your personal information were obtained by a criminal who used them to obtain finance. If that’s happened, your credit file and ability to take out credit could be affected for years.
Also, if looking to claim for psychological injuries, your solicitor will use medical experts to assess the impact of any stress, anxiety or Post-Traumatic Stress Disorder (PTSD). These could all affect your work, education, everyday life and also affect your relationships with others.
If you’d like your case assessed thoroughly by one of our specialist solicitors, why not speak to an advisor today? They’ll review your claim with you and could refer your case to a solicitor if it has a reasonable chance of success.
Valuing Your Medical Data Breach Compensation Claim
There was an important legal precedent set by Vidal-Hall and others v Google Inc  in the Court of Appeal. The judgement reached in the appeal means that you can now claim compensation for psychological injuries caused by a data breach even when you have not suffered financial losses. The judges in the case also recommended that any such award be paid at the same level as personal injury claims.
Therefore, we’ve added the table below, which provides some example compensation figures for relevant injuries. The data we’ve provided has been taken from a document that solicitors and courts use to determine settlement amounts called the Judicial College Guidelines.
|Injury Type||Level of Severity||Settlement Range||Additional Notes|
|Psychiatric Damage Generally||The 4 factors considered when settling psychiatric damage claims are 1) The claimant's ability to cope with life, education and work, 2) the effect on relationships, 3) whether treatment would be successful, and 4) future vulnerability.|
|Psychiatric Damage Generally||Severe||£51,460 to £108,620||The claimant will have marked problems with all four factors listed above and a very poor prognosis.|
|Psychiatric Damage Generally||Moderately Severe||£17,900 to £51,460||In this category, there will be significant problems with the factors listed but the prognosis will be more optimistic.|
|Psychiatric Damage Generally||Moderate||£5,500 to £17,900||In this category, most of the problems associated with the factors listed will have improved significantly and there will be a good prognosis.|
|Psychiatric Damage Generally||Less Severe||Up to £5,500||This category considers how long any disabilities lasted and how long daily activities and sleep were impacted.|
|Post-Traumatic Stress Disorder||Severe||£56,180 to £94,470||There will be permanent symptoms of PTSD in this category which could include hyper-arousal, suicidal ideation, flashbacks or mood disorders which will affect all aspects of the claimant's life.|
|Post-Traumatic Stress Disorder||Moderate||£7,680 to £21,730||In this category, the claimant will suffer significant disabilities for the foreseeable future but, with professional assistance, things should improve meaning there will be a better prognosis.|
The amount awarded is based on how severe each injury is. That’s why, as part of your claim, your solicitor will book you in to see a local medical specialist. During your medical assessment, the specialist will ask how you’ve been affected and refer to any medical notes available to them. Then, they’ll write a report detailing their findings and send it to your solicitor.
How To Report A Medical Data Breach To The Information Commissioner’s Office
If you make a compensation claim, you will need to supply some evidence of what happened. The first way you could try to obtain this is to follow the organisation’s complaints procedure. When you complain, the organisation in question should respond with their findings. If you’re not happy with the outcome of their investigation, their response should tell you how to escalate the complaint.
If you’ve exhausted all escalation routes and are still unhappy with the outcome, you could raise a complaint with the ICO. They say that you should do this once it’s been 3-months since your last meaningful communication with the organisation. If you leave it too late, the ICO has the right to refuse your case.
You should bear in mind that you don’t have to involve the ICO to make a medical data breach claim, and, even if you do, they cannot award you compensation; they can only fine the party responsible for the breach. The only way you could be compensated is to start your own legal proceedings against the organisation responsible.
If you contact Legal Expert about your case, and it is accepted by one of our solicitors, they could negotiate with the defendant directly to try and reach an amicable settlement figure on your behalf. If that’s unlikely to achieve a positive outcome, they might advise you to contact the ICO, so you have more formal evidence of what happened.
No Win No Fee Medical Compensation
There is one common reason why people don’t make compensation claims – the fact that they’re worried about the cost of hiring a solicitor. Our team of solicitors can remove many that worry because they offer a No Win No Fee service for all claims they accept. Not only is your financial risk reduced, but the whole claims process becomes a lot less stressful too.
Before accepting your claim, a solicitor will review whether it’s viable or not. Once they’re happy, you’ll be given a Conditional Fee Agreement or CFA to sign. This is your contract and sets out what your solicitor will do for you. It will also explain that:
- You won’t pay any charges upfront, which allows the case to begin quickly.
- There are no hidden charges or solicitor’s fees payable while the case progresses.
- If the case is lost, your solicitor won’t charge you any fees.
Should your claim be won and paid compensation, your solicitor will retain a small percentage to cover their work and costs. This ‘success fee’ is limited by law, and the exact percentage you’ll pay is listed in the CFA, so there aren’t any surprises when the claim is finalised.
Speak To Our Experts
If you’d like to discuss claiming with Legal Expert today, or if you have any questions about the process, you can:
- Call a specialist for free claims advice on 0800 073 8804.
- Please send us an email with details of your claim to firstname.lastname@example.org.
- Start your claim online to arrange a call back at a convenient time.
- Ask an online advisor for support in our online chat facility.
Quick Data Breach Resources
Thanks for taking the time to complete this guide about making medical data breach claims. In this final section, we’ve provided you with some additional links and resources which we believe could be useful. If there’s anything else you’d like to know, please ask an advisor today.
Data Breach Compensation Claims – Our detailed guide to the data protection breach claims process
I Suffered Stress After A Data Breach – Find out more about claiming for psychological injuries after a data breach
My Personal Data Has Been Lost – Learn what to do if your private information has been lost
Do I Have An Anxiety Disorder? – NHS advice on how anxiety disorders are diagnosed.
Be Data-Aware – An ICO article that explains how organisations might use information about you.
NHS Complaints Procedure – The formal routes you can take to complain about the NHS.
Data Breach FAQs
How much compensation do you get for a breach of data protection?
A typical compensation amount tends to lie between £1,000 and £42,900.
Can I sue for a data breach?
You could sue for a data breach if you discover that you’re the victim of such an occurrence due to negligence.
What are the 3 categories of personal data breaches?
These are a confidentiality breach, an availability breach and an integrity breach.
How long do data breach claims take?
This can vary from several months to several years, depending on the circumstances and the evidence available.
What happens if your data suffers a breach?
It could quickly result in millions of private data records being in the public domain.
Is a data breach illegal?
A data breach that happens intentionally represents illegal activity on behalf of the perpetrator.
Could I lose my job for breaching GDPR?
Yes, you could lose your job if your actions and/or lack thereof cause a serious data breach.
How much could a fine be for a GDPR breach?
The maximum EU fine for a GDPR breach is up to €20 million, or approximately £18 million.
Thank you for reading our guide on medical data breach compensation claims, which answers popular queries such as ‘how much compensation for a data breach?’ We hope you found the information in this guide, including the data breach compensation amounts and data breach compensation examples highlighted, to be useful.