Medical Data Breach Compensation Claims Guide
By Danielle Jordan. Last Updated 6th October 2023. Welcome to our guide on medical data breach compensation claims. Within this guide, we’ll answer questions such as ‘how much compensation for a data breach?’. We’ll also look at potential data breach compensation amounts by considering some data breach compensation examples.
When you visit medical facilities like a dental practice, GP surgery, pharmacy or hospital, you’ll probably need to provide information about yourself or update information that’s already held on file.
When you supply that information, it’s important that the medical service provider stores it safely and doesn’t use it in ways that you’ve not authorised them to. In this guide, we will explain when you could claim compensation for a medical data breach. We’ll consider what could cause one to happen, the harm that it could lead to and when you might be entitled to make a claim.
What Is A Medical Data Breach And How Do I Claim Compensation?
Following the introduction of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018, the Information Commissioner’s Office (ICO) has been able to fine organisations that breach data rules. Below, we’ll provide some examples of penalties that have been issued after the misuse of medical data.
Our team of friendly advisors can help if you decide you’d like to make a claim. We provide free legal advice on any claim following a no-obligation assessment of what’s happened. If your case appears to merit compensation, you could be referred to a specialist solicitor who’ll work for you on a No Win No Fee basis if your claim is accepted.
To find out more about how Legal Expert can help, please call us on 0800 073 8804 today. Alternatively, you’ll find more information on medical compensation claims throughout the rest of this guide.
Select A Section
- When Am I Eligible To Claim For Medical Data Breach Compensation?
- What Is A Medical Data Breach?
- What Could Be The Impacts Of Medical Data Breaches?
- Medical Data Breach Examples
- Who A Medical Data Breach Claim Could Be Made Against
- NHS Medical Data Breach Compensation
- Private Medical Practice Compensation
- Examples Of Fines The ICO Has Issued For Medical Data Breaches
- What Financial Losses Or Distress Could You Claim For?
- Medical Data Breach Compensation Examples
- How To Report A Medical Data Breach To The Information Commissioner’s Office
- No Win No Fee Solicitors For Medical Data Breach Claims
- Quick Data Breach Resources
In order to be eligible to claim medical data breach compensation, you must be able to prove that your personal data was breached due to an organisation’s failings. Additionally, you must have suffered financial loss or psychological harm due to the personal data breach.
Personal data is any information that could directly identify you, or could in combination with other information. Some examples of personal data include your name, home address, and national insurance number. Some personal data is classed as special category data. This is information that needs more protection as it is sensitive. Any data concerning your health is considered as special category data.
Any organisation that processes your personal data must adhere to the rules set out in the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA). Together, these pieces of legislation make up data protection law. Per data protection law, any organisation that processes your personal data must take all the necessary steps to protect your data. Failure to do so could result in your personal information being involved in a breach.
A personal data breach is a security incident that affects the availability, confidentiality or integrity of your personal data. If you can prove that your personal medical data was involved in a breach due to an organisation’s failings, and you suffered harm as a result of the breach, you could be eligible to claim compensation.
What is the time limit in which to file a compensation claim?
If you want to make a data breach compensation claim, you’ll need to do so within the relevant time limits. In general, data breach claims need to be submitted within six years. For claims relating to a breach of your human rights, that time limit is reduced to just one year.
Although six years does seem to be a large amount of time to make a claim, our advice is to start as early as possible. We find that claimants find it much easier to remember what happened and the effects of the data breach in the months after they found out about it rather than four or five years down the road. Moreover, your solicitor will probably find it’s easier to get hold of supporting evidence if the event has only happened recently.
In the GDPR, a personal data breach is listed as a security breach that results in personally identifiable information being lost, destroyed, altered, disclosed or accessed in ways that you have not previously authorised. Whether the act was deliberate, accidental, or illegal does not matter – you could still go on to make a compensation claim for the harm caused.
Importantly, data breaches don’t have to involve digital information. They are just as likely to involve physical printed documentation. For instance, a breach could happen if medical records containing personal information are thrown into the bins rather than shredded securely.
You should be informed of a data breach if a medical organisation discovers one has taken place. They should let you know what happened when the breach occurred and what information was accessed.
What Could Be The Impacts Of Medical Data Breaches?
If your house was broken into and documents containing your personal information were stolen, you’d feel a lot of anger, stress and anxiety about how that information might be used.
The same feelings are likely when you find out about a medical data breach involving your private information. In serious cases, it’s quite possible that the impact of a breach could lead to you struggling to cope with many aspects of everyday life. In addition, the distress caused by a data breach could mean your job is affected, or your relationships with friends, colleagues and family could all suffer. This could result in a diagnosed psychological condition, like post-traumatic stress disorder, stress or anxiety.
As well as the medical impact of this type of incident, there could be a financial impact. In fact, some effects might not be noticed until months or even years have passed since the breach took place. That could be the case if your personal or sensitive information ends up in the hands of criminals who use it to apply for credit or even blackmail you.
If you feel you’ve suffered due to a data breach involving medical information, please let us know what happened, and a member of our team will assess your case for free.
What To Do After A Medical Data Breach
Following a medical data breach, you may wish to seek compensation. However, you must be able to prove that you meet the eligibility criteria for data breach claims. This is set under Article 82 of the UK GDPR as:
- The breach must have occurred because the data controller or processor failed to adhere to the data protection legislation. A data controller determines why personal data needs to be processed and how to go about it. The processor then processes it on the controller’s behalf.
- Your personal data must have been compromised in the breach.
- As a result of this breach, you must suffer harm. This could be a financial loss, such as credit or loans being taken out in your name, or damage to your mental health, such as anxiety due to the data breach.
If you suspect that your personal data was breached and haven’t received a letter of notification, you can alert the organisation yourself. You should be alerted by the organisation to the breach of your personal data without undue delay if it could risk your rights and freedoms.
You may also like to report the breach to the Information Commissioner’s Office (ICO). They are an independent authority that upholds data protection laws. As part of its role in protecting data rights, it can investigate certain data breaches and issue a fine. However, you should report the breach within three months of your last meaningful communication with the organisation.
You could also collect evidence regarding the harm you have suffered due to the personal data breach. A copy of your medical records stating any mental injuries you have been diagnosed with could help with proving the psychological harm you have suffered. A copy of your debit, credit and bank statements could help prove the financial losses you’ve experienced.
If you have any questions about medical data breach compensation, speak with an advisor from our team.
In this section, we look at personal data protection breach examples which may lead to a data breach compensation claim. Below are some examples of a medical data breach.
- Documents may be stolen because of poor security, resulting in lost medical records
- A letter meant for you might be posted to the wrong home address resulting in someone gaining inappropriate access to your medical records
- A computer might be targeted by malware resulting in medical records being stolen
- Medical records may not be properly disposed of; for example they aren’t shredded
- Information regarding your medical conditions may be emailed to the wrong email address so that someone without authorisation can see them
If you don’t see your situation here, you may still be able to claim. Speak to our advisors for a free eligibility check. If they feel your claim has a good chance of success, you could potentially be put through to one of our expert solicitors.
Compensation For Breach Of Data Protection – Evidence Examples
Data healthcare can be sensitive. It can pertain to many different aspects of a patient’s life, including their health, age, and even home address. Whilst you may be able to claim should a data breach impact you, you will need to prove that this is the case.
There are a few ways you can prove a data breach has happened and it has affected your life. Here are a few examples:
- Emails – For instance, the hospital may have contacted you to notify you of a breach.
- Letters – Your home address may have been distributed without your permission, leading to you receiving unsolicited correspondence from an unfamiliar source.
- Bank statements – If your finances have been affected by the data breach.
Following a breach of the UK GDPR, medical records may be accessed or used in another unauthorised way. Make sure you check through your affairs to see which areas (if any) of your life have been impacted. Don’t hesitate to get in touch if you have any questions.
Within the GDPR, the role of the data controller is defined as the organisation or individual who defines why your personal information is required and how it will be processed. Usually, the data controller will be investigated by the ICO if there is a breach, and they will usually be the party you would sue. That said, it is also possible to claim against the data processor as well.
Here is a list of those who could be sued for a GDPR data breach:
- GP surgeries.
- Dental surgeries.
- Hospitals or the NHS Trust which runs them.
- Individual healthcare staff.
- Private health companies.
NHS Medical Data Breach Compensation
In reality, nobody wants to claim against the NHS. It is a wonderful organisation that helps patients up and down the country every day, even in the current tricky climate.
However, if you’ve been the victim of a data breach that has caused you harm, you might need to seek compensation to help aid your recovery both financially and psychologically. NHS Trusts, doctors, dentists and other service providers usually pay a premium each year to cover any such compensation cases, so you shouldn’t feel pressure not to start a claim if you’ve been wrongfully harmed.
Here are some examples of parts of the NHS you could claim against:
- GP practices.
- NHS Trusts or a specific hospital.
- Dental surgeries.
- Opticians or the company that operates the practice.
Please see our guide on making an NHS data breach claim for more information.
Private Medical Practice Compensation
It’s important to point out that it’s not just NHS facilities that have a duty to protect your data. Private healthcare companies have the same legal responsibility to secure any information you provide them. Failure to do so could mean you’re entitled to claim against an individual practitioner or the private healthcare company that employs them.
Examples Of Fines The ICO Has Issued For Medical Data Breaches
In this section, we’re going to provide a few examples of data breaches that have meant the ICO had to step in and conduct an investigation:
- An NHS Trust was fined £180,000 after a sexual health clinic in London sent an email to around 800 patients who’d attended an HIV clinic. The fine was issued because every recipient could see everybody else’s email address and name. This meant there was a real risk of patients identifying others and the fact that they could be HIV positive.
- In a similar case, a gender identity clinic in London sent an email to around 2,000 people on its mailing list. The same mistake was made where the CC field was used instead of the BCC field, meaning every recipient could see the email address and name of everyone else who had received the email.
- A pharmacy in London was issued a £275,000 fine because it had stored 500,000 pieces of documentation containing personally identifiable patient information in unlocked containers at the back of its premises.
If you’d like to read more about the Information Commissioner’s Office’s action about data protection breaches, please click here.
Data Breach Statistics
The Information Commissioner’s Office (ICO) provide new data breach statistics every quarter. Now, these cover January-March 2021. And the figures are eye-opening, especially considering the number of data breaches in the top five business sectors within the United Kingdom.
So, in total, there were 2,425 data breach incidents when combining non-cyber security and cybersecurity incidents. The five most prevalent areas are education and childcare, health, land or property services, local government, and retail and manufacturing.
For education and childcare, there were 342 breaches when combining non-cyber and cybersecurity breaches. The ICO’s figures also note 420 breaches for the health sector and 112 for land or property services. Not to mention 239 for local government (a particularly concerning statistic) and 231 for retail and manufacturing.
There are also various forms of data breaches for each area. So, the non-cyber incidents include altering personal data, emailing data to the wrong person or incorrect data subjects for client portals, and posting or faxing data to the wrong recipients.
A failure to redact or use blind carbon copies in emails is also prevalent, along with incorrectly disposing of hardware and paperwork. Furthermore, there’s the loss or theft of devices with personal data and paperwork and leaving data in areas that aren’t safe.
Other examples include access without authorisation and verbally disclosing the presence of personal data.
Cyber incidents include brute force, denying services, misconfiguring hardware or software, malware, phishing, and ransomware. All of these make up the four-figure total number of data breaches across UK businesses during the first three months of 2021.
The figures for the aforementioned top five most-affected businesses can be seen in the graph below.
If you’ve been impacted by something described above, you could be entitled to data breach compensation. Get in touch with our team today to learn more.
What Financial Losses Or Distress Could You Claim For?
When you claim problems caused by a data breach, it will usually be broken down into two parts:
- Material damages claims are made to recover any financial losses that have occurred as a result of the breach.
- Non-material damages claims are used to compensate you for any diagnosed psychological injuries.
There are a lot of things to consider before submitting your claim, though. For instance, if you’re asking for compensation for financial losses, your solicitor will probably consider future losses that could be incurred too. That could be the case if your personal information were obtained by a criminal who used them to obtain finance. If that’s happened, your credit file and ability to take out credit could be affected for years.
Also, if looking to claim for psychological injuries, your solicitor will use medical experts to assess the impact of any stress, anxiety or Post-Traumatic Stress Disorder (PTSD). These could all affect your work, education, everyday life and also affect your relationships with others.
If you’d like your case assessed thoroughly by one of our specialist solicitors, why not speak to an advisor today? They’ll review your claim with you and could refer your case to a solicitor if it has a reasonable chance of success.
In this section, we’ll discuss data breach compensation examples relating to non-material damage. Following the case of Gulati & Others Vs. MGN Ltd. (2015), it was ruled that psychological harm for a data breach claim can be valued similarly to a personal injury claim.
Therefore, we may use the Judicial College Guidelines (JCG) to give you an idea of how much compensation you could be awarded. The April 2022 update of the JCG features compensation brackets for a number of injuries, including mental health problems.
Please note that the figures below should only be used as guidelines. Any material damage will also be assessed when you are awarded a data breach payout, which we’ll discuss in the next section.
|Injury Type||Level of Severity||Settlement Range||Additional Notes|
|Psychiatric Damage Generally||The 4 factors considered when settling psychiatric damage claims are 1) The claimant's ability to cope with life, education and work, 2) the effect on relationships, 3) whether treatment would be successful, and 4) future vulnerability.|
|Psychiatric Damage Generally||Severe||£54,830 to £115,730||The claimant will have marked problems with all four factors listed above and a very poor prognosis.|
|Psychiatric Damage Generally||Moderately Severe||£19,070 to £54,830||In this category, there will be significant problems with the factors listed but the prognosis will be more optimistic.|
|Psychiatric Damage Generally||Moderate||£5,860 to £19,070||In this category, most of the problems associated with the factors listed will have improved significantly and there will be a good prognosis.|
|Psychiatric Damage Generally||Less Severe||£1,540 to £5,860||This category considers how long any disabilities lasted and how long daily activities and sleep were impacted.|
|Post-Traumatic Stress Disorder||Severe||£59,860 to £100,670||There will be permanent symptoms of PTSD in this category which could include hyper-arousal, suicidal ideation, flashbacks or mood disorders which will affect all aspects of the claimant's life.|
|Post-Traumatic Stress Disorder||Moderate||£8,180 to £23,150||In this category, the claimant will suffer significant disabilities for the foreseeable future but, with professional assistance, things should improve meaning there will be a better prognosis.|
You would need evidence to prove that your injury was caused as a result of your personal data being compromised. Contact our team for free legal advice using the above details to see if you can claim.
What Else Can Be Included In A Medical Data Breach Compensation Amount?
You may also be awarded compensation for your material damage as part of your medical data breach compensation amount. Material damage refers to the financial losses you have experienced due to your personal data being breached.
For example, if the data breach caused you to suffer harm to your mental health, it may be difficult for you to return to work. Subsequently, your earning capacity could be affected.
When making a personal data breach claim for your material damage, you will need to provide evidence of your financial losses, such as with a copy of your bank statements.
If you have any questions about claiming for medical or NHS data breach compensation, our advisory team can be contacted at any time. You won’t have to pay to speak with our advisors nor will you be obligated to continue using our services afterwards.
If you make a compensation claim, you will need to supply some evidence of what happened. The first way you could try to obtain this is to follow the organisation’s complaints procedure. When you complain, the organisation in question should respond with their findings. If you’re not happy with the outcome of their investigation, their response should tell you how to escalate the complaint.
If you’ve exhausted all escalation routes and are still unhappy with the outcome, you could raise a complaint with the ICO. They say that you should do this once it’s been 3-months since your last meaningful communication with the organisation. If you leave it too late, the ICO has the right to refuse your case.
You should bear in mind that you don’t have to involve the ICO to make a medical data breach claim, and, even if you do, they cannot award you compensation; they can only fine the party responsible for the breach. The only way you could be compensated is to start your own legal proceedings against the organisation responsible.
If you contact Legal Expert about your case, and it is accepted by one of our solicitors, they could negotiate with the defendant directly to try and reach an amicable settlement figure on your behalf. If that’s unlikely to achieve a positive outcome, they might advise you to contact the ICO, so you have more formal evidence of what happened.
In the UK, medical data is considered special category data. If you suffered due your personal data’s inclusion in a health data breach, you might be eligible to claim compensation. A No Win No Fee solicitor could support your health data breach claim. They could provide their services under a Conditional Fee Agreement (CFA).
Typically, in medical data breach claims made with the support of No Win No Fee solicitors, upfront solicitors fees aren’t charged. If your health data breach claim is successful, a legally capped success fee will be taken from the award. When a claim fails, the claimant typically is not asked to pay for the solicitor’s work.
Our advisors can answer any questions you may have about medical data breach claims. Should you have a claim that seems eligible, you could be passed on to our solicitors. To get in touch:
Use our live chat at the bottom of the screen.
Thanks for taking the time to complete this guide about making medical data breach claims. In this final section, we’ve provided you with some additional links and resources which we believe could be useful. If there’s anything else you’d like to know, please ask an advisor today.
Data Breach Compensation Claims – Our detailed guide to the data protection breach claims process
I Suffered Stress After A Data Breach – Find out more about claiming for psychological injuries after a data breach
My Personal Data Has Been Lost – Learn what to do if your private information has been lost
Do I Have An Anxiety Disorder? – NHS advice on how anxiety disorders are diagnosed.
Be Data-Aware – An ICO article that explains how organisations might use information about you.
NHS Complaints Procedure – The formal routes you can take to complain about the NHS.
Other Useful Compensation Guides
- Rochdale Council Data Breach
- If you work for a school or if your personal data held by a school is shared by email, you could make a data breach claim against that school.
- Bracknell Council Data Breach
- Derbyshire County Council Data Breach
- Derbyshire Dales District Council Data Breach
- Durham County Council Data Breach
- Durham University Data Breach
- Easyleads Limited Data Breach
- Edinburgh Napier University Data Breach
- EE Data Breach Compensation Claims
- Falmouth University Data Breach
- Fatface Data Breach
- Flagship Group Data Breach Compensation Claims
- Glasgow Caledonian University Data Breach
- Go Compare Data Breach Compensation Claims
- Gordons Chemist Pharmacy Data Breach
- Greater London Authority Data Breach
- Greater Manchester Combined Authority Data Breach
- Halton Borough Council Data Breach
- Harlow District Council Data Breach
- Harper Adams University Data Breach
- Medical Data Breach Compensation Claims
- Medical Records Data Breach By A Hospital Claims Explained
- Do I need to use data breach solicitors near me? Find out how to find reliable data breach solicitors with our guide.
Data Breach FAQs
How much compensation do you get for a breach of data protection?
A typical compensation amount tends to lie between £1,000 and £42,900.
Can I sue for a data breach?
You could sue for a data breach if you discover that you’re the victim of such an occurrence due to negligence.
What are the 3 categories of personal data breaches?
These are a confidentiality breach, an availability breach and an integrity breach.
How long do data breach claims take?
This can vary from several months to several years, depending on the circumstances and the evidence available.
What happens if your data suffers a breach?
It could quickly result in millions of private data records being in the public domain.
Is a data breach illegal?
A data breach that happens intentionally represents illegal activity on behalf of the perpetrator.
Could I lose my job for breaching GDPR?
Yes, you could lose your job if your actions and/or lack thereof cause a serious data breach.
How much could a fine be for a GDPR breach?
The maximum EU fine for a GDPR breach is up to €20 million, or approximately £18 million.
Thank you for reading our guide on medical data breach compensation claims, which answers popular queries such as ‘how much compensation for a data breach?’ We hope you found the information in this guide, including the data breach compensation amounts and data breach compensation examples highlighted, to be useful.