Medical Data Breach Compensation Claims Guide – How Much Compensation Can I Claim? – Amounts For Medical Data Breach
By Max Mitrovic. Last Updated 17th May 2022. Welcome to our guide on medical data breach compensation claims. Within this guide, we’ll answer questions such as ‘how much compensation for a data breach?’. We’ll also look at potential data breach compensation amounts by considering some data breach compensation examples.
When you visit medical facilities like a dental practice, GP surgery, pharmacy or hospital, you’ll probably need to provide information about yourself or update information that’s already held on file.
When you supply that information, it’s important that the medical service provider stores it safely and doesn’t use it in ways that you’ve not authorised them to. In this guide, we will explain when you could claim compensation for a medical data breach. We’ll consider what could cause one to happen, the harm that it could lead to and when you might be entitled to make a claim.
What Is A Medical Data Breach And How Do I Claim Compensation?
Following the introduction of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018, the Information Commissioner’s Office (ICO) has been able to fine organisations that breach data rules. Below, we’ll provide some examples of penalties that have been issued after the misuse of medical data.
Our team of friendly advisors can help if you decide you’d like to make a claim. We provide free legal advice on any claim following a no-obligation assessment of what’s happened. If your case appears to merit compensation, you could be referred to a specialist solicitor who’ll work for you on a No Win No Fee basis if your claim is accepted.
To find out more about how Legal Expert can help, please call us on 0800 073 8804 today. Alternatively, you’ll find more information on medical compensation claims throughout the rest of this guide.
Select A Section
- A Guide To Medical Compensation Claims
- What Is A Medical Data Breach?
- What Could Be The Impacts Of Medical Data Breaches?
- Types Of Medical Data Breach Incidents You Could Be Impacted By
- Who A Medical Data Breach Claim Could Be Made Against
- NHS Medical Data Breach Compensation
- Private Medical Practice Compensation
- Examples Of Fines The ICO Has Issued For Medical Data Breaches
- What Financial Losses Or Distress Could You Claim For?
- Examples Of Medical Data Breach Compensation Payouts
- How To Report A Medical Data Breach To The Information Commissioner’s Office
- No Win No Fee Medical Compensation
- Speak To Our Experts
- Quick Data Breach Resources
A Guide To Medical Compensation Claims
When you visit a doctor, dentist, optician or pharmacist, you need to have complete faith that their medical expertise will mean you’ll be treated correctly. You also have faith that the procedures and systems they’ve put in place to manage data will mean that your personal or sensitive information doesn’t end up in the wrong hands. While that’s often the case, mistakes can happen, which means you might need to make a medical data breach claim.
When you visit a medical facility for treatment or when you register with them, you’ll probably need to complete some paperwork. Within the forms you’ll fill in, you will probably see some questions or tick boxes relating to the use of your personal information.
The answers you give will determine how the organisation in question can use data about you, including sharing it with other organisations. One of the key rules of the GDPR is that, once your preferences have been collected, they are adhered to.
What is the time limit in which to file a compensation claim?
If you want to make a data breach compensation claim, you’ll need to do so within the relevant time limits. In general, data breach claims need to be submitted within six years. For claims relating to a breach of your human rights, that time limit is reduced to just one year.
Although six years does seem to be a large amount of time to make a claim, our advice is to start as early as possible. We find that claimants find it much easier to remember what happened and the effects of the data breach in the months after they found out about it rather than four or five years down the road. Moreover, your solicitor will probably find it’s easier to get hold of supporting evidence if the event has only happened recently.
What Is A Medical Data Breach?
In the GDPR, a personal data breach is listed as a security breach that results in personally identifiable information being lost, destroyed, altered, disclosed or accessed in ways that you have not previously authorised. Whether the act was deliberate, accidental, or illegal does not matter – you could still go on to make a compensation claim for the harm caused.
Importantly, data breaches don’t have to involve digital information. They are just as likely to involve physical printed documentation. For instance, a breach could happen if medical records containing personal information are thrown into the bins rather than shredded securely.
You should be informed of a data breach if a medical organisation discovers one has taken place. They should let you know what happened when the breach occurred and what information was accessed.
What Could Be The Impacts Of Medical Data Breaches?
If your house was broken into and documents containing your personal information were stolen, you’d feel a lot of anger, stress and anxiety about how that information might be used.
The same feelings are likely when you find out about a medical data breach involving your private information. In serious cases, it’s quite possible that the impact of a breach could lead to you struggling to cope with many aspects of everyday life. In addition, the distress caused by a data breach could mean your job is affected, or your relationships with friends, colleagues and family could all suffer. This could result in a diagnosed psychological condition, like post-traumatic stress disorder, stress or anxiety.
As well as the medical impact of this type of incident, there could be a financial impact. In fact, some effects might not be noticed until months or even years have passed since the breach took place. That could be the case if your personal or sensitive information ends up in the hands of criminals who use it to apply for credit or even blackmail you.
Types Of Medical Data Breach Incidents You Could Be Impacted By
There are a fair few scenarios that could lead to your personal medical information being exposed. Here are some examples:
- When non-medical staff read your records because a computer terminal is left unlocked.
- If documentation containing identifiable information is not disposed of securely.
- Where NHS staff access your medical records when there is no medical reason for them to do so.
- If a letter intended for you is emailed or posted to the wrong address.
- If the medical computer system is hacked or infected with malware, ransomware or spyware.
- A medical organisation uses data containing your information in a trial of which you were not made aware.
- If your prescription is given to the wrong patient and they’re able to identify you.
This is just a small sample of the types of incidents that could lead to a medical data breach compensation claim. If you suspect your information has been leaked and you’ve suffered as a result, please get in touch with our team today.
Who A Medical Data Breach Claim Could Be Made Against
Within the GDPR, the role of the data controller is defined as the organisation or individual who defines why your personal information is required and how it will be processed. Usually, the data controller will be investigated by the ICO if there is a breach, and they will usually be the party you would sue. That said, it is also possible to claim against the data processor as well.
Here is a list of those who could be sued for a GDPR data breach:
- GP surgeries.
- Dental surgeries.
- Hospitals or the NHS Trust which runs them.
- Individual healthcare staff.
- Private health companies.
NHS Medical Data Breach Compensation
In reality, nobody wants to claim against the NHS. It is a wonderful organisation that helps patients up and down the country every day, even in the current tricky climate.
However, if you’ve been the victim of a data breach that has caused you harm, you might need to seek compensation to help aid your recovery both financially and psychologically. NHS Trusts, doctors, dentists and other service providers usually pay a premium each year to cover any such compensation cases, so you shouldn’t feel pressure not to start a claim if you’ve been wrongfully harmed.
Here are some examples of parts of the NHS you could claim against:
- GP practices.
- NHS Trusts or a specific hospital.
- Dental surgeries.
- Opticians or the company that operates the practice.
Please see our guide on making an NHS data breach claim for more information.
Private Medical Practice Compensation
It’s important to point out that it’s not just NHS facilities that have a duty to protect your data. Private healthcare companies have the same legal responsibility to secure any information you provide them. Failure to do so could mean you’re entitled to claim against an individual practitioner or the private healthcare company that employs them.
Examples Of Fines The ICO Has Issued For Medical Data Breaches
In this section, we’re going to provide a few examples of data breaches that have meant the ICO had to step in and conduct an investigation:
- An NHS Trust was fined £180,000 after a sexual health clinic in London sent an email to around 800 patients who’d attended an HIV clinic. The fine was issued because every recipient could see everybody else’s email address and name. This meant there was a real risk of patients identifying others and the fact that they could be HIV positive.
- In a similar case, a gender identity clinic in London sent an email to around 2,000 people on its mailing list. The same mistake was made where the CC field was used instead of the BCC field, meaning every recipient could see the email address and name of everyone else who had received the email.
- A pharmacy in London was issued a £275,000 fine because it had stored 500,000 pieces of documentation containing personally identifiable patient information in unlocked containers at the back of its premises.
If you’d like to read more about the Information Commissioner’s Office’s action about data protection breaches, please click here.
Data Breach Statistics
The Information Commissioner’s Office (ICO) provide new data breach statistics every quarter. Now, these cover January-March 2021. And the figures are eye-opening, especially considering the number of data breaches in the top five business sectors within the United Kingdom.
So, in total, there were 2,425 data breach incidents when combining non-cyber security and cybersecurity incidents. The five most prevalent areas are education and childcare, health, land or property services, local government, and retail and manufacturing.
For education and childcare, there were 342 breaches when combining non-cyber and cybersecurity breaches. The ICO’s figures also note 420 breaches for the health sector and 112 for land or property services. Not to mention 239 for local government (a particularly concerning statistic) and 231 for retail and manufacturing.
There are also various forms of data breaches for each area. So, the non-cyber incidents include altering personal data, emailing data to the wrong person or incorrect data subjects for client portals, and posting or faxing data to the wrong recipients.
A failure to redact or use blind carbon copies in emails is also prevalent, along with incorrectly disposing of hardware and paperwork. Furthermore, there’s the loss or theft of devices with personal data and paperwork and leaving data in areas that aren’t safe.
Other examples include access without authorisation and verbally disclosing the presence of personal data.
Cyber incidents include brute force, denying services, misconfiguring hardware or software, malware, phishing, and ransomware. All of these make up the four-figure total number of data breaches across UK businesses during the first three months of 2021.
The figures for the aforementioned top five most-affected businesses can be seen in the graph below.
If you’ve been impacted by something described above, you could be entitled to data breach compensation. Get in touch with our team today to learn more.
What Financial Losses Or Distress Could You Claim For?
When you claim problems caused by a data breach, it will usually be broken down into two parts:
- Material damages claims are made to recover any financial losses that have occurred as a result of the breach.
- Non-material damages claims are used to compensate you for any diagnosed psychological injuries.
There are a lot of things to consider before submitting your claim, though. For instance, if you’re asking for compensation for financial losses, your solicitor will probably consider future losses that could be incurred too. That could be the case if your personal information were obtained by a criminal who used them to obtain finance. If that’s happened, your credit file and ability to take out credit could be affected for years.
Also, if looking to claim for psychological injuries, your solicitor will use medical experts to assess the impact of any stress, anxiety or Post-Traumatic Stress Disorder (PTSD). These could all affect your work, education, everyday life and also affect your relationships with others.
If you’d like your case assessed thoroughly by one of our specialist solicitors, why not speak to an advisor today? They’ll review your claim with you and could refer your case to a solicitor if it has a reasonable chance of success.
Examples Of Medical Data Breach Compensation Payouts
The case of Vidal-Hall and others v Google Inc  established an important legal precedent in the Court of Appeal. The judgement now means that you can claim for psychological damage caused by a data breach without needing to have suffered financial losses.
This means that if, for example, you’re seeking medical data breach compensation, you can still claim for a psychological injury, such as post-traumatic stress disorder (PTSD) even if your finances haven’t been impacted.
The Judicial College Guidelines (JCG) are used by solicitors and lawyers to help them calculate how much your claim is worth. The figures below have been taken from the latest guidelines that were published in April 2022.
|Injury Type||Level of Severity||Settlement Range||Additional Notes|
|Psychiatric Damage Generally||The 4 factors considered when settling psychiatric damage claims are 1) The claimant's ability to cope with life, education and work, 2) the effect on relationships, 3) whether treatment would be successful, and 4) future vulnerability.|
|Psychiatric Damage Generally||Severe||£54,830 to £115,730||The claimant will have marked problems with all four factors listed above and a very poor prognosis.|
|Psychiatric Damage Generally||Moderately Severe||£19,070 to £54,830||In this category, there will be significant problems with the factors listed but the prognosis will be more optimistic.|
|Psychiatric Damage Generally||Moderate||£5,860 to £19,070||In this category, most of the problems associated with the factors listed will have improved significantly and there will be a good prognosis.|
|Psychiatric Damage Generally||Less Severe||£1,540 to £5,860||This category considers how long any disabilities lasted and how long daily activities and sleep were impacted.|
|Post-Traumatic Stress Disorder||Severe||£59,860 to £100,670||There will be permanent symptoms of PTSD in this category which could include hyper-arousal, suicidal ideation, flashbacks or mood disorders which will affect all aspects of the claimant's life.|
|Post-Traumatic Stress Disorder||Moderate||£8,180 to £23,150||In this category, the claimant will suffer significant disabilities for the foreseeable future but, with professional assistance, things should improve meaning there will be a better prognosis.|
Please remember that these figures are not guarantees as every claim is unique. Should your claim be successful, the amount of medical data breach compensation you could receive is based on many different factors. This can include the extent of your injuries, your recovery plan, prognosis and if any permanent symptoms have been caused.
You would need evidence to prove that your injury was caused as a result of your personal data being compromised. Contact our team for free legal advice using the above details to see if you can claim.
More medical data breach compensation payouts
The figures in the table above relate to non-material damages. In other words, they are not related to financial loss, but to the suffering caused by the data breach.
However, if someone has breached your medical data, a claim could be made for material damages in certain circumstances. For instance, it’s possible that the impact on your mental health made it difficult to return to work.
If this is the case, then you could be eligible for a loss of earnings payment. This is an example of material damages. This figure is to reimburse you for costs that can be caused by a breach of your medical data. Your compensation could be made up of both material and non-material damages combined.
As an additional resource in getting an estimate for the value of your claim, you can also use our data breach compensation calculator. Or, you can also get in touch with our advisors. They will be able to ask you detailed questions about your circumstances, resulting in a more accurate valuation.
How To Report A Medical Data Breach To The Information Commissioner’s Office
If you make a compensation claim, you will need to supply some evidence of what happened. The first way you could try to obtain this is to follow the organisation’s complaints procedure. When you complain, the organisation in question should respond with their findings. If you’re not happy with the outcome of their investigation, their response should tell you how to escalate the complaint.
If you’ve exhausted all escalation routes and are still unhappy with the outcome, you could raise a complaint with the ICO. They say that you should do this once it’s been 3-months since your last meaningful communication with the organisation. If you leave it too late, the ICO has the right to refuse your case.
You should bear in mind that you don’t have to involve the ICO to make a medical data breach claim, and, even if you do, they cannot award you compensation; they can only fine the party responsible for the breach. The only way you could be compensated is to start your own legal proceedings against the organisation responsible.
If you contact Legal Expert about your case, and it is accepted by one of our solicitors, they could negotiate with the defendant directly to try and reach an amicable settlement figure on your behalf. If that’s unlikely to achieve a positive outcome, they might advise you to contact the ICO, so you have more formal evidence of what happened.
No Win No Fee Medical Compensation
There is one common reason why people don’t make compensation claims – the fact that they’re worried about the cost of hiring a solicitor. Our team of solicitors can remove many that worry because they offer a No Win No Fee service for all claims they accept. Not only is your financial risk reduced, but the whole claims process becomes a lot less stressful too.
Before accepting your claim, a solicitor will review whether it’s viable or not. Once they’re happy, you’ll be given a Conditional Fee Agreement or CFA to sign. This is your contract and sets out what your solicitor will do for you. It will also explain that:
- You won’t pay any charges upfront, which allows the case to begin quickly.
- There are no hidden charges or solicitor’s fees payable while the case progresses.
- If the case is lost, your solicitor won’t charge you any fees.
Should your claim be won and paid compensation, your solicitor will retain a small percentage to cover their work and costs. This ‘success fee’ is limited by law, and the exact percentage you’ll pay is listed in the CFA, so there aren’t any surprises when the claim is finalised.
Speak To Our Experts
If you’d like to discuss claiming with Legal Expert today, or if you have any questions about the process, you can:
- Call a specialist for free claims advice on 0800 073 8804.
- Please send us an email with details of your claim to firstname.lastname@example.org.
- Start your claim online to arrange a call back at a convenient time.
- Ask an online advisor for support in our online chat facility.
Quick Data Breach Resources
Thanks for taking the time to complete this guide about making medical data breach claims. In this final section, we’ve provided you with some additional links and resources which we believe could be useful. If there’s anything else you’d like to know, please ask an advisor today.
Data Breach Compensation Claims – Our detailed guide to the data protection breach claims process
I Suffered Stress After A Data Breach – Find out more about claiming for psychological injuries after a data breach
My Personal Data Has Been Lost – Learn what to do if your private information has been lost
Do I Have An Anxiety Disorder? – NHS advice on how anxiety disorders are diagnosed.
Be Data-Aware – An ICO article that explains how organisations might use information about you.
NHS Complaints Procedure – The formal routes you can take to complain about the NHS.
Other Useful Compensation Guides
- Rochdale Council Data Breach
- Bracknell Council Data Breach
- Derbyshire County Council Data Breach
- Derbyshire Dales District Council Data Breach
- Durham County Council Data Breach
- Durham University Data Breach
- Easyleads Limited Data Breach
- Edinburgh Napier University Data Breach
- EE Data Breach Compensation Claims
- Falmouth University Data Breach
- Fatface Data Breach
- Flagship Group Data Breach Compensation Claims
- Glasgow Caledonian University Data Breach
- Go Compare Data Breach Compensation Claims
- Gordons Chemist Pharmacy Data Breach
- Greater London Authority Data Breach
- Greater Manchester Combined Authority Data Breach
- Halton Borough Council Data Breach
- Harlow District Council Data Breach
- Harper Adams University Data Breach
- Medical Data Breach Compensation Claims
Data Breach FAQs
How much compensation do you get for a breach of data protection?
A typical compensation amount tends to lie between £1,000 and £42,900.
Can I sue for a data breach?
You could sue for a data breach if you discover that you’re the victim of such an occurrence due to negligence.
What are the 3 categories of personal data breaches?
These are a confidentiality breach, an availability breach and an integrity breach.
How long do data breach claims take?
This can vary from several months to several years, depending on the circumstances and the evidence available.
What happens if your data suffers a breach?
It could quickly result in millions of private data records being in the public domain.
Is a data breach illegal?
A data breach that happens intentionally represents illegal activity on behalf of the perpetrator.
Could I lose my job for breaching GDPR?
Yes, you could lose your job if your actions and/or lack thereof cause a serious data breach.
How much could a fine be for a GDPR breach?
The maximum EU fine for a GDPR breach is up to €20 million, or approximately £18 million.
Thank you for reading our guide on medical data breach compensation claims, which answers popular queries such as ‘how much compensation for a data breach?’ We hope you found the information in this guide, including the data breach compensation amounts and data breach compensation examples highlighted, to be useful.