Unauthorised Access To Patient Medical Records UK – Can I Claim Compensation?
Your medical records could contain pieces of sensitive information relating to illnesses and medical conditions. However, they could also include details of your next of kin, your ethnic origin and other personal data. As such, any organisation that processes your medical records should take great care to ensure they protect that personal data. But what happens if someone gains unauthorised access to patient medical records in the UK? What consequences could this cause? And could a person who suffers harm because of inappropriate access to medical records in the UK claim compensation?
How This Guide Could Help
We have created this data breach compensation guide to offer some useful information when it comes to accessing medical records. In the sections below, we look at security considerations for patients’ medical records. We explain how to access your medical records and explain how NHS patient data should be protected. In addition, we also answer common questions regarding the access to medical records, such as:
- Who can access my medical records in the UK?
- How can I find out who has looked at my medical records in the UK?
- Can NHS staff look at their own records?
- Can I sue someone for accessing my medical records?
Further to this, we explain how to go about claiming compensation, and how much you could receive. If you have any questions about making a claim, please call our team on 0800 073 8804. We could assess your case to see if you could be eligible for compensation and provide you with a specialist solicitor to help you.
Select A Section
- A guide To Claims For Unauthorised Access To Patient Medical Records UK
- What Is An Unauthorised Access To Patient Medical Records?
- Cyber Security Considerations For NHS Patient Data
- Improper Access And Disclosure
- How Should Medical Records Be Processed?
- What Rights Do Patients Have To Access Their Own Medical Records?
- Can You Access Someone Else’s Medical Records?
- Who Do I Report Unauthorised Access To NHS Medical Records?
- Calculating Compensation For Unauthorised Access To Patient Medical Records
- No Win No Fee Claims For Unauthorised Access To Patient Medical Records UK
- Contact Us About A Medical Records Data Breach
- Medical Data Breach Statistics
- FAQs On Unauthorised Access To Patient Medical Records
There are a number of different NHS services providers that could have collected some of your personal data that could make up your medical records. As such, they could be considered a data controller. Therefore, they should ensure they protect against the unauthorised access to medical records for UK data subjects. They would have a legal obligation to do so under the Data Protection Act 2018, and GDPR. As well as those legislations there is also The Access to Health Records Act 1990 and the Medical Reports Act 1988 that could be used when accessing medical records.
If an organisation fails to protect from unauthorised access to patient medical records in the UK, and you suffer emotional or financial harm, you could potentially claim compensation. This could be the case no matter whether the breach was caused by a cybersecurity incident such as a hacking, a mistake by an NHS worker or negligence.
But what is unauthorised access to patient medical records in the UK? And what data could be breached?
What Is Personal Data?
Personal data, by the Information Commissioner’s definition, is data that could be used to identify you, either on its own or when it is used alongside other data. Examples of what could constitute personal information could include:
- A name
- Dates of birth
- Contact details
- An IP address or other online identifiers
- Medical information
- Religious information
- Ethnic origin
- Financial details
How This Guide Could Help?
If any of this personal data is breached, it could cause several unwelcome consequences. You could feel that your privacy has been violated, or someone might use the information to access financial accounts. In addition, illegal access to medical records could also cause you distress. A claim for compensation may not make up for all the suffering you have endured due to improper access to your medical records. However, it could go some way towards helping you move forward after such an incident.
Within this guide, we offer a wealth of information as to the protection of patients medical records. We provide insight into the types of compensation you could claim, and how you could go about finding a data breach solicitor to help you. There are also further resources, including our contact information, at the bottom of this guide.
According to the Information Commissioner’s Office, or ICO, if an organisation breaches your personal data in a cybersecurity incident or a non-cyber security incident, this could mean it has been subjected to:
- Unauthorised access
- Theft or loss
- Unlawful or unauthorised disclosure, alteration, destruction
A data breach could be the result of a malicious act, either from inside or outside of the organisation. It could also be the result of a mistake by an employee, or negligence.
Examples of what could cause a data breach could include:
- Phishing attacks
- A hacking
- A bot
- Spyware, ransomware, malware or a virus
Organisations could protect against such threats by having a secure domain, using a firewall or transferring sensitive data via a VPN (Virtual Private Network), for example. They could also ensure staff receive cybersecurity training. However, not all data breaches occur due to cybersecurity incidents. If staff do not ensure they lock filing cabinets, this could lead to unauthorised access to patient medical records in the UK. Similarly, if staff misplace paperwork, or send it to the wrong recipient, this could also be considered a breach.
Who Could Be The Victim?
The victim of a data breach could be anyone whose medical records are accessed without authorisation. This could include people in a care home, inpatients in hospital, outpatients and those that access GP services. These are just a few examples. Victims could even be those working within the NHS, if another member of staff accesses their records without consent and without good reason.
The House of Commons put together a briefing paper in May 2020 which covered the access and sharing of patient health records. It covers patient access to medical records as well as the authorisation of persons other than the patient to access patient records. The document also includes the new requirements of the General Data Protection Regulations (GDPR) as they are now in the Data Protection Act 2018.
The 10 Data Standards
It mentions the 10 data standards that the NHS should adhere to which are:
- Staff must ensure that they handle, transmit and store all personal confidential data securely, whether it is in paper or electronic form.
- They must understand their own responsibilities to adhere to the Data Security Standards, including their personal accountability for avoidable or deliberate breaches and their obligations to responsibly handle information.
- Staff must complete security training annually. They will be required to sit a test, which they must pass.
- Personal confidential information should only be accessed by staff who need it for their role; such access should be removed when no longer requires it.
- There should be a review of processes annually at least to identify issues and improve processes that may have caused near misses or breaches.
- The NHS should ensure that it identifies and resists cyber attacks. It should act immediately following a near miss or data breach. Reports should be made to senior management within 12 hours of them being detected.
- There should be a continuity plan in place to respond to data security threats and this should be tested at least annually.
- No operating systems that are unsupported should be used within the NHS IT estate.
- There should be a strategy in place to protect from proven cybersecurity framework threats, which should be reviewed annually at least.
- Any IT supplier is held accountable to protect personal confidential information they are required to process.
It is vital that those who handle personal data do so securely and confidentially. The breach of personal data cannot only cause financial problems but also mental illness.
The General Medical Council gives guidance on access and disclosure of personal information. Its guidance specifies that health care records could come in a number of formats such as:
- Lab reports
- Handwritten notes
- Communications via text and e-mail with patients
- Electronic records
- Correspondence between health professionals
- Audio and visual recordings
It mentions that improper disclosure could be unintentional, and could occur by way of:
- Other members of staff seeing notes and records
- People overhearing conversations in patient’s wards, at receptions areas and in public places
- Patient notes being misplaced while in transit
- Handover notes being lost
What Is Recommended?
Guidance towards to access and disclosure of personal records includes the following recommendations:
- Should leave not patients notes or records unattended on paper or on a screen
- Staff should not share passwords
- They mustn’t access patient records without legitimate reasons to do so
- Staff should not share personal information in chat forums or in a conversation where it could be overheard
If you are a data controller, you must ensure you process data in accordance with GDPR and its enshrinement into UK law under the Data Protection Act 2018. It specifies that data controllers must develop an understanding and maintain that understanding as to how to govern personal information. Even if you are not a data controller, you must make sure you are familiar with the policies relating to data management and confidentiality and you must follow procedures. You should also know where to ask for advice on such issues.
Subject to certain safeguards patients should have a right to access their medical records. The ICO states there are no rules that those providing a Subject Access Request can ask for a fee to be paid.
How Can I Get Access To My Medical Records?
You should be able to ask your GP surgery, hospital or other medical services provider for your medical records. Those who receive such requests should help patients exercise their legal rights to obtain their own records.
If you’re wondering ‘can someone access my medical records without my permission?’ the answer would be – it depends on the situation. If someone attempts to access another person’s medical records, according to the NHS, they must:
- Have a legal basis for accessing such records
- Be in a position where you are acting on behalf of another person, and you have their authorisation to access their records
- Have power of attorney (a legal authority) to access their medical records
How To Access Medical Records
If you are acting on behalf of another person, you should make a Subject Access Request to the organisation that is providing or has provided care to the patient. A healthcare provider could refuse such a request only if:
- It could cause mental or physical health to the patient
- The record has other information relating to another person
If a patient is 12 years old or under, someone with parental responsibility for that child could access their records.
Can I Sue The NHS For Breach Of Confidentiality?
In order to hold a valid data breach claim against another party, they must have failed to adhere to the Data Protection Act 2018. Your personal data must have been breached. You could potentially be in a position to make a claim for compensation, if the breach has caused you emotional or financial harm.
If you believe you’ve been impacted by unauthorised access to patient medical records in the UK, you should, as per ICO advice, take the issue up with the healthcare provider in the first instance. You could write to them, explaining what has happened and how it has affected you.
When Do I Inform The ICO If Someone Illegally Accessed My Medical Records?
If you are unhappy with the response to your report of illegal access to medical records or you don’t receive a reply, you could report your concerns to the ICO. The ICO could launch their own investigation and could take enforcement action against the organisation. This may include the ICO issuing a fine.
However, you could seek legal advice. You could contact our team for a free eligibility assessment, and we could even provide you with a data breach lawyer to help you start your claim.
If you intend to claim compensation for unauthorised access to patient medical records in the UK, a data breach lawyer could assess how the breach has affected you and review all the evidence to see what damages you could claim. GDPR gives victims of data breaches the right to seek compensation for material and non-material damage. While someone accessing your medical records illegally would not likely cause you financial harm, if it does, you could include such damages within your claim. When it comes to non-material damages, these could include the loss of privacy, distress and even psychological/psychiatric harm
Vidal-Hall and others v Google Inc  – Court of Appeal
In the case above, the judge discussed personal injury awards for psychological and psychiatric harm due to data breaches, and said they should be considered. Therefore, you may need to visit an independent doctor so that they could provide a report detailing your injuries and prognosis. Courts and data breach solicitors could use this report alongside the Judicial College Guidelines, a publication, to come to an appropriate amount for your claim. Below, you will see figures from the JCG relating to psychological injuries. This could give you some idea of the compensation brackets for such injuries.
|Injury||JCG Compensation Bracket||Remarks|
|PTSD Injuries||£3,710 to £7,680||Less severe|
|Cases involving general psychological injuries||£1,440 to £5,500||Less severe|
|PTSD Injuries||£7,680 to £21,730||Moderate|
|Cases involving general psychological injuries||£5,500 to £17,900||Moderate|
|PTSD Injuries||£21,730 to £56,180||Moderately severe|
|Cases involving general psychological injuries||£17,900 to £51,460||Moderately severe|
|PTSD Injuries||£56,180 to £94,470||Severe|
|Cases involving general psychological injuries||£51,460 to £108,620||Severe|
Would you like to have a data breach solicitor help you with your claim? But are unsure as to how to go about paying them? You may be pleased to learn that you could make a claim for unauthorised access to patient medical records in the UK under No Win No Fee terms. No Win No Fee data breach solicitors would generally work as follows:
- Your data breach solicitor sends a document to you known as a Conditional Fee Agreement. It sets out the details of a success fee, which you’d only have to pay in the event of a successful claim. The fee is subject to a legal cap. It is usually only a small percentage of your compensation.
- Once you’ve signed and sent the agreement back, the data breach solicitor would work on your case, negotiating compensation for you. Once your settlement comes through, they’d deduct the success fee, and the rest would be for your benefit.
- If your claim ends without compensation, the success fee wouldn’t be payable.
Want To Know More?
To learn more about making a breach of data claim under these terms, why not read our useful guide? Or, you could always call our team; we’re always happy to answer any questions you might have. We could even provide you with a No Win No Fee solicitor to help you with your claim.
If you’re ready to make a claim because someone has gained unauthorised access to patient medical records in the UK and your personal data has been breached, we’d be glad to help you. We could assess your eligibility to claim for free. We could also provide you with a No Win No Fee solicitor to help you get the compensation your case deserves. You can reach us via:
- Telephone: 0800 073 8804
- E-mail email@example.com
- By completing our online contact form
- Or, you could simply use our Live Chat service to get in touch with our team
According to the ICO’s Q2 data breach reports for 2020/2021, they received a number of reports from the health sector. There were a total of 442 breaches reported in Q2 of 2020/2021 in the sector, due to both cybersecurity and non-cyber security incidents. These included:
- 10 phishing incidents
- 3 incidents involving ransomware
- 73 incidents where someone sent an email to the wrong recipient
- 54 incidents where someone faxed or posted data to the wrong recipient
- 2 incidents relating to unauthorised access
- 24 incidents where personal data was verbally disclosed
Can I Sue Someone For Accessing My Medical Records?
This depends on whether someone has accessed your records with the proper authorisation or not. If they do not have your consent, or the proper authority to access your records, you would usually need to take action against the data controller.
Can You Sue The NHS For Breach Of Confidentiality?
If the NHS has breached your confidentiality by not preventing unauthorised access to patient medical records in the UK, call our team for a free assessment on this.
Do I Have A Right To Know Who Accessed My Medical Records UK?
You do have a right to know who accessed your medical records. You could make a request to the healthcare provider to find this out.
Can Someone Access My Medical Records Without My Permission?
The NHS would usually need your consent to allow someone to access your medical records. The NHS could share your information under ‘implied consent’, for example with NHS staff and social care staff who are supporting you or caring for you. However, they could only share this information in certain circumstances.
Can NHS Staff Look At Their Own Records?
NHS staff could look at their own records if they make a request to see them. However, they should not use NHS IT systems to do so, according to this set of policies and procedures. They should, just like anyone else, make a subject access request to view such records.
ICO Warns NHS Staff About Accessing Patient Records – Here, you can find details of a warning from the ICO to NHS staff about unauthorised access to patient medical records in the UK being an offence.
Nurse Prosecuted For Illegal Access To Patient Records – Here, you can find a report relating to a nurse illegally accessing patient records.
Requesting Medical Records – Here, you can find out how to access your own medical records.
Data Breach Claims – You can find general information about data breach claims against the NHS here.
HR Data Breaches – If HR has breached your personal data, this guide could be of use to you.
Legal Expert Reviews – You can find out what other people have thought of our service levels here.
Written By Jefferies
Edited By Melissa.