Medical Records Data Breach – How To Claim Compensation
How To Claim For A Medical Records Data Breach
In this guide, we’ll look at when a medical records data breach claim might be necessary.
When you provide information about yourself to a medical organisation, it’s probably not the sort of thing you’d like to be shared around. Your medical records contain a lot of information that is both sensitive and personal. As such, it is likely to fall within the scope of the General Data Protection Regulation (GDPR). Because of this new law, your medical records need to be stored as securely as possible. If personal data is lost, leaked or accessed illegally, you could be eligible to sue for any suffering that results.
To try and protect data about individuals (or data subjects) the ICO has the ability to investigate data breaches. Whilst they are able to fine organisations (or data controllers) who’ve broken the law, they cannot issue compensation if you’ve been harmed by a personal data breach. For that reason, we will explain how to start legal action yourself.
If you are interested in working with Legal Expert, you can contact our specialist advisors on 0800 073 8804 to begin. To find out more about medical records and data protection before contacting us, please read on.
Select A Section
- A Guide To Medical Records Data Breach Claims
- What Is A Medical Records Data Breach?
- The GDPR And Access To Medical Records
- How Healthcare Providers Could Breach Your Medical Privacy
- Examples Of Data Protection Breaches Of Medical Records
- How To Report Health And Social Care Services To The ICO
- Check What You Could Claim For A Breach Of Your Medical Data
- Calculating Compensation For A Medical Records Data Breach
- No Win No Fee Medical Records Data Breach Claims
- Finding Lawyers Who Handle Medical Data Breach Claims
- Contact Us
- Data Breach Resources
- Medical Data Breach Statistics
- FAQs For Healthcare Sector Data Breaches
A Guide To Medical Records Data Breach Claims
As you may know, medical professionals have a legal duty of care to try and keep you from harm when treating you. They also have an obligation to keep any personal data about you safe as well. To achieve this, the NHS has spent a lot of time and money implementing systems and procedures that aim to prevent data leakage.
However, mistakes can happen which leads to personal data being accessed illegally. If information about you is exposed by a medical records data breach, you could seek compensation for the suffering to your finances and mental health that results.
The idea of the GDPR is to allow you a bit more control over the ways in which organisations use your information. To collect and process personal data, there now needs to be a valid and lawful basis.
According to the ICO, there are 6 ways in which this can be established. One way is to ask for your permission to process your data. That’s why you will sometimes be asked to tick boxes about data use and data sharing when registering with medical establishments.
The type of damage that could entitle you to seek data breach compensation includes:
- Financial losses – this could include expenses or losses sustained because of criminal activity.
- Psychological injuries – you could claim for any suffering that results from anxiety, stress or depression caused by the data breach.
We need to point out that medical data breach claims have time limits. Mostly, the relevant limitation period is 6-years. This runs from the date you gained knowledge of the breach. Please be aware, though, that claims centring on human rights breaches only have 1-year to be made.
What Is A Medical Records Data Breach?
A medical records data breach may occur after some type of security event. Following the incident, personal information contained within medical records could be lost, disclosed, accessed, destroyed or changed without your consent. Breaches don’t need to be caused by illegal activity, though. You could seek compensation if you’ve suffered because of an accidental data breach too.
While we often read about data breaches that are caused by cyber attackers (involving phishing emails, hacking, viruses, ransomware and other similar methods), the GDPR also applies to physical documents if there are plans to store them in a filing system or add them to a computer system. Therefore, any old printed or hand-written medical records must also be protected too.
If a medical service provider is made aware of a breach involving your data, they need to let you know about it without undue delay. They should explain when the breach happened, the data that was exposed and how the incident occurred.
The GDPR And Access To Medical Records
The GDPR is a strict set of data safety rules that came into force in 2018. It covers any data that might be used to identify an individual. There is some information that could be used to identify you directly such as:
- Your name.
- NHS number.
- Telephone numbers.
- Email address.
- Home address.
In addition to this type of information, some information about your characteristics is covered as well. That is because it might lead indirectly to your identification. For example, details relating to your marital status, a disability, your ethnicity or your religious beliefs would be covered.
As a lot of this information will be found in medical records, they are covered by the GDPR and the DPA. The rules will therefore apply to who can access your data directly and who it can be shared with. Where illegal access to your information causes you to suffer mental or financial damage, you could be entitled to start a claim.
How Healthcare Providers Could Breach Your Medical Privacy
So, how could a healthcare provider breach the rules of the GDPR? Well, they could:
- Send an email, fax or letter containing personal data to the wrong recipient.
- Share information from your medical records without your consent.
- Open your medical records on a computer in a publicly accessible place meaning unauthorised parties could view your details.
- Be the victim of ransomware where hackers gain access to patient medical records to extort money.
- Dispose of paper-based records containing personal information in an insecure fashion.
- Lose a laptop that’s not been encrypted and that contains medical records.
Where these types of medical records data breaches occur, it could cause you to be worried about the implications of your data being exposed. You could be eligible to claim for that stress as part of a compensation claim.
Examples Of Data Protection Breaches Of Medical Records
In this part of our guide, we’re going to look at a news report where a GP video appointment app was involved in a data breach.
The software in question is used to allow doctors to carry out consultations online rather than in person. In June 2020, the provider was contacted by one user who said they could access other patients’ video recordings. During an investigation, the company found that other users had gained access to similar recordings as well.
The user that reported the issues said that while checking his prescriptions online, he noticed around 50 consultation replays that did not involve him. The software provider, which has over 2.3 million UK users, said the problem had now been fixed.
They went onto confirm that, as well as the initial report, 2 other patients had been given access to the videos but did not view them. As per their GDPR obligations, the company reported the matter to the ICO. The user who initially reported the problem said that due to patient-doctor confidentiality concerns, he wouldn’t be using the app again.
Another example of a breach in which medical records were exposed involved the pharmacy Doorstep Dispensaree. Following an investigation by the ICO in which they found thousands of records kept in unlocked storage containers, Doorstep Dispensaree was fined £275,000.
How To Report Health And Social Care Services To The ICO
You might think that the only way you’ll be able to claim for a medical records data breach is if the ICO investigates. However, that’s not always the case. If you receive a letter or an email from your healthcare provider letting you know that your data has been exposed, there may already be enough evidence to start your claim. We’d suggest that you check with your data breach lawyer before seeking an investigation.
If you do decide to contact the ICO, you must have complained to the healthcare provider first. Where you disagree with their response, you should follow any escalation paths available to you.
If it has been 3-months since any meaningful update has happened, and you’re still not happy with the response, you could contact the ICO and ask them to look at the matter. They say that you shouldn’t leave it too long after that or they could turn you away.
Again, following an investigation, the ICO could force changes upon the company if they’re found to have broken the rules. They could also fine them up to 4% of their annual turnover. However, the ICO cannot issue compensation to you no matter how badly you’ve been affected.
Check What You Could Claim For A Breach Of Your Medical Data
There are a lot of things to consider when making a medical records data breach claim. Ensuring your claim is compiled correctly is important because you can only claim once.
That means you need to think about how you might be affected in the future as well as claiming for any suffering that’s already happened. In this section, we’ll look at what you’ll need to think about.
Firstly, claims are usually split into two elements:
- Material damages – where you base your claim on how much money the data breach has cost you.
- Non-material damages – this part of the claim is about any psychological injuries you’ve sustained.
For material damages, you’ll begin by calculating any financial losses you’ve already incurred. This should be quite straightforward. Then you might need to think about future suffering too. As an example, if your credit file has been damaged by identity theft crimes against you, the cost of loans, credit cards or mortgages could be higher for you until the damage is rectified.
The first part of a non-material damages claim will look at injuries that have already been diagnosed. After that, it might be necessary to claim for any future suffering listed in your medical report. If it shows that you’re going to suffer from Post-Traumatic Stress Disorder (PTSD), for instance, then that should be factored into your claim.
Due to the complexity of these claims, we believe it’s best to have legal support. Working with a data breach lawyer could mean you’ll receive a higher compensation payment. That’s because they’ll use their experience to try and make sure all parts of your suffering are claimed for.
Calculating Compensation For A Medical Records Data Breach
We are now going to show what level of compensation could be paid as part of a non-material damages claim. As explained above, these are psychological injuries that can be caused by data breaches.
Although we have listed some example amounts, you’ll only get a personalised figure once a solicitor has examined your case in more detail. The figures you can see in our compensation table have been taken from the latest edition of the Judicial College guidelines, a document used by lawyers to value different injuries.
|Claim||Severity||Compensation Range||Further Details|
|PTSD||Severe||£56,180 to £94,470||Symptoms like mood disorders, suicidal ideation, hyper-arousal and flashbacks will be permanent and affect all aspects of life.|
|PTSD||Moderately Severe||£21,730 to £56,180||The victim will suffer significantly with similar symptoms to above. However, with professional help improvements could be made.|
|Psychiatric Damage||Severe||£51,460 to £108,620||Coping with life and maintaining relationships will be significantly difficult. Furthermore, medical treatment is not likely to help meaning the victim will stay vulnerable. Therefore prognosis will be very poor.|
|Psychiatric Damage||Moderately Severe||£17,900 to £51,460||Symptoms will be significant and similar to those in the severe category. However, the victim will receive a more optimistic prognosis.|
|Psychiatric Damage||Moderate||£5,500 to £17,900||In this compensation range, the prognosis will be good. That will be due to a number of marked improvements that have already taken place.|
Two important things to note about data breach claims are that:
- Compensation is allowed to be claimed for injuries that result from a personal data breach. Importantly, they are possible in cases where no financial losses have occurred. Previously some form of financial damage was required.
- To help lawyers determine compensation figures relating to mental harm, the values set out in personal injury law should be considered.
These statements were made by the Court of Appeal in the Vidal-Hall and others v Google Inc  case.
During the claims process, you will need a medical assessment to verify the extent of your injuries and to prove that they were caused by the breach. This will be conducted by a specialist who is independent. Our solicitors can usually make these appointments locally to reduce the amount of travel required.
The specialist will try to determine how you have already suffered and what suffering could continue in the future. This will be achieved by reading your medical records and asking you several questions about the impact the data breach has had.
No Win No Fee Medical Records Data Breach Claims
There is no doubt that data breach claims can be complex. They can be stressful too if you’re worried about covering the cost of a solicitor’s work. However, if you choose to work with us, you don’t need to worry about that too much. That’s because we provide a No Win No Fee service for any claim that is taken on. This means that you could get access to a specialist solicitor with reduced financial risks.
Before the claim can be taken on, the solicitor will have to review its merits. Should they agree to work on the case for you, they’ll give you a Conditional Fee Agreement (CFA) to review. The formal title of a No Win No Fee agreement, the CFA shows you what criteria need to be met before you have to pay any solicitor’s fees. Essentially, unless you are compensated, you don’t pay your solicitor at all.
Where a claim is won, a small success fee is charged. This is listed in the CFA as a fixed percentage of your compensation. Your solicitor will retain that percentage of your compensation in a successful claim. To try and prevent success fees from being too high, they are capped by law.
Want to know more about No Win No Fee claims? If so, please get in touch.
Finding Lawyers Who Handle Medical Data Breach Claims
If you are looking for a data breach solicitor to help you, there’s no need to limit your search to local law firms. Where you expand your search, you could benefit from a firm with recent experience in a case just like yours.
If your case is accepted by one of our specialists, they will:
- Carry out an extensive review of your case to establish all of the relevant facts.
- Arrange for an independent medical expert to review any injuries (usually locally).
- Collect and compile evidence to substantiate your claim.
- File your complaint with the healthcare provider you blame for your suffering.
- Liaise with their legal advisors so that you don’t need to be too involved.
- Update you regularly and answer any queries during the claims process.
- Aim to achieve the maximum amount of compensation possible in your case.
To find out more, please get in touch today. You can also check out our past reviews too.
We are here to help if you’ve decided to claim for a medical records data breach. You can get free legal advice by:
- Calling our claims line on 0800 073 8804 and speaking to a specialist.
- Asking an online advisor to explain your options.
- Sending an email about your case to firstname.lastname@example.org.
- Completing our online claims form so that we can call you back.
Data Breach Resources
While we have provided all of the information we hope you’ll need to start a medical records data breach claim, we have added some further resources that might help you below. We’ve also shown some of the other types of data breaches we could help with.
Access Your Medical Records – NHS information about how to obtain copies of your medical records and who else could view them.
ICO Complaints – This page shows you how to complain to the ICO about different types of data privacy issues.
Anxiety Support – A charity in the UK that provides anxiety support and therapy via chat or video call.
Data Breach Claims Against Comparison Sites – A guide about claiming if a comparison site data breach has led to you suffering.
Housing Association Data Breaches – This article shows when data breaches caused by a housing association could result in compensation.
Nursery Data Breaches – This guide explains why you could claim for a nursery data breach.
Medical Data Breach Statistics
In our graph below, we have shown the most common types of healthcare data breaches reported to the ICO during the period Jan 1st 2021 to 31st March 2021. These figures relate to cybersecurity breaches.
These figures are data security incident trends released by the ICO.
FAQs For Healthcare Sector Data Breaches
As you have completed this article, we have provided some answers to common questions relating to health record data breaches below.
What are the most common causes of health information system breaches?
According to statistics from the Information Commissioner’s Office, the most common reason for cybersecurity-related data breaches was where the wrong recipient was sent personal data. For non-cyber security breaches, the main reason was unauthorised access. These figures relate to the first quarter of 2021.
What can hackers do with medical records?
Hackers can use the personal information in your medical records in several ways. Firstly, they could try to claim a ransom from you or the healthcare provider to stop the data from being made public. Alternatively, they could use the information to access other services or in identity theft crimes.
Can you sue a hospital for a medical records data breach?
If personal information from your medical records is exposed during a hospital data breach, you could seek damages for any harm that results. This could be in the form of financial losses or for any psychological suffering like distress, Post-Traumatic Stress Disorder or anxiety.