Patient Medical Records Data Breach Compensation Claims Experts

100% No Win, No Fee Claims
Nothing to pay if you lose.

  • Free legal advice from a friendly solicitor.
  • Specialist solicitors with up to 30 years experience
  • Find out if you can claim compensation Call 0800 073 8804

Start My Claim Online

Unauthorised Access To Patient Medical Records UK – Can I Claim Compensation?

By Stephen Hudson. Last Updated 6th June 2022. In this guide, we look at how you could go about claiming compensation for unauthorised access to patient medical records in UK hospitals. Your medical records may contain sensitive information relating to illnesses and medical conditions that you either currently have or have experienced in the past. They also usually contain personal details such as your name and address, your next of kin, your ethnic origin and other personal data.

As such, any organisation that processes your medical records should take great care to ensure they protect that personal data. But what happens if someone gains unauthorised access to patient medical records in the UK? What consequences could this cause? And could a person who suffers harm because of inappropriate access to medical records in the UK claim compensation?

How This Guide Could Help

Patient medical records data breach claims guide

Patient medical records data breach claims guide

We have created this data breach compensation guide to offer some useful information when it comes to accessing medical records. In the sections below, we look at security considerations for patients’ medical records. We explain how to access your medical records and explain how NHS patient data should be protected.

In addition, we also answer common questions regarding access to medical records, such as:

  • Who can access my medical records in the UK?
  • How can I find out who has looked at my medical records in the UK?
  • Can NHS staff look at their own records?
  • Can I sue someone for accessing my medical records?

Further to this, we explain how to go about claiming compensation. We’ll also look at compensation brackets which give some insight into how much you may receive. If you have any questions about making a claim, you can call our team on 0800 073 8804. You can also reach us online through our claim form or our 24/7 live chat service. We could assess your case to see if you could be eligible for compensation. We may also be able to provide you with a specialist solicitor to support you.

Select A Section

A Guide To Claims For Unauthorised Access To Patient Medical Records UK

There are a number of different NHS service providers that can decide why and how they need to use your personal data (to add to your medical records, for example). As such, they could be considered a data controller or a data processor. Therefore, they should ensure they protect against unauthorised access to medical records for data subjects. They would have a legal obligation to do so under the Data Protection Act 2018 and the UK GDPR. As well as this legislation, there is also The Access to Health Records Act 1990 and the Medical Reports Act 1988 which apply to accessing medical records under certain circumstances.

You could potentially claim compensation for unauthorised access to patient medical records within UK services if the following applies and can be proven with evidence:

  • You were directly affected by this breach of data
  • The breach caused you to suffer emotional and/or financial harm
  • The breach occurred because the organisation responsible for holding your medical records failed to take the correct steps to secure this information through positive wrongful conduct

You may be able to claim whether the breach was caused by a cybersecurity incident such as hacking or a mistake by an NHS worker. But what is unauthorised access to patient medical records in the UK? And what data could be breached?

What Is Personal Data?

Personal data, by the Information Commissioner’s definition, is data that could be used to identify you, either on its own or when it is used alongside other data. Examples of what could constitute personal information could include:

  • A name
  • Dates of birth
  • Contact details
  • An IP address or other online identifiers
  • Medical information
  • Religious information
  • Ethnic origin
  • Financial details

How This Guide Could Help

If any of this personal data is breached, it could cause several unwelcome consequences. You could feel that your privacy has been violated, or someone might use the information to access financial accounts. In addition, illegal access to medical records could also cause you distress. A claim for compensation may not make up for all the suffering you have endured due to improper access to your medical records. However, it could go some way towards helping you move forward after such an incident.

Within this guide, we offer a wealth of information as to the protection of patients’ medical records. We provide insight into the types of compensation you could claim, and how you could go about finding a data breach solicitor to help you. There are also further resources, including our contact information, at the bottom of this guide.

What Is An Unauthorised Access To Patient Medical Records?

According to the Information Commissioner’s Office (ICO), if an organisation breaches your personal data in a cybersecurity incident or a non-cyber security incident, this could mean it has been subjected to:

  • Unauthorised access
  • Theft or loss
  • Unlawful or unauthorised disclosure, alteration, destruction

A data breach could be the result of a malicious act or the result of a mistake by an employee: it can be accidental or deliberate.

Examples of what could cause a data breach could include:

  • Phishing attacks
  • A hacking
  • A bot
  • Spyware, ransomware, malware or a virus

Organisations could protect against such threats by having a secure domain, using a firewall or transferring sensitive data via a VPN (Virtual Private Network), for example. They could also ensure staff receive cybersecurity training. However, not all data breaches occur due to cybersecurity incidents. If staff do not ensure they lock filing cabinets, this could lead to unauthorised access to patient medical records in the UK. Similarly, if staff misplace paperwork, or send it to the wrong recipient, this could also be considered a breach.

Who Could Be The Victim?

The victim of this type of data breach could be anyone whose medical records are accessed but authorisation which should have been given beforehand was not provided. Victims could include people in a care home, inpatients in hospital, outpatients and those that access GP services. These are just a few examples. Victims could also include those working within the NHS if, for instance, another member of staff accesses their records without consent and without good reason.

Cyber Security Considerations For NHS Patient Data

The House of Commons put together a briefing paper in May 2020 which covered the access and sharing of patient health records. It covers patient access to medical records as well as the authorisation of persons other than the patient to access patient records. The document also includes the new requirements of the General Data Protection Regulations (GDPR) as they are now in the Data Protection Act 2018.

The 10 Data Standards

It mentions the 10 data standards that the NHS should adhere to which are:

  • Staff must ensure that they handle, transmit and store all personal confidential data securely, whether it is in paper or electronic form.
  • They must understand their own responsibilities to adhere to the Data Security Standards, including their personal accountability for avoidable or deliberate breaches and their obligations to responsibly handle information.
  • Staff must complete security training annually. They will be required to sit a test, which they must pass.
  • Personal confidential information should only be accessed by staff who need it for their role; such access should be removed when it is no longer required.
  • There should be a review of processes annually at least to identify issues and improve processes that may have caused near misses or breaches.
  • The NHS should ensure that it identifies and resists cyber attacks. It should act immediately following a near miss or data breach. Reports should be made to senior management within 12 hours of them being detected.
  • There should be a continuity plan in place to respond to data security threats and this should be tested at least annually.
  • No operating systems that are unsupported should be used within the NHS IT estate.
  • There should be a strategy in place to protect from proven cybersecurity framework threats, which should be reviewed annually, at least.
  • Any IT supplier is held accountable to protect the personal confidential information they are required to process.

It is vital that those who handle personal data do so securely and confidentially. The breach of personal data cannot only cause financial problems but also mental illness.

Improper Access And Disclosure

The General Medical Council gives guidance on access and disclosure of personal information. Its guidance specifies that health care records could come in a number of formats such as:

  • Lab reports
  • Handwritten notes
  • Communications via text and e-mail with patients
  • Electronic records
  • Correspondence between health professionals
  • Audio and visual recordings

It mentions that improper disclosure could be unintentional, and could occur by way of:

  • Other members of staff seeing notes and records
  • People overhearing conversations in patient wards, in receptions areas and in public places
  • Patient notes being misplaced while in transit
  • Handover notes being lost

What Is Recommended?

Guidance about the access and disclosure of personal records includes the following recommendations:

  • Should not leave patients notes or records unattended on paper or on a screen
  • Staff should not share passwords
  • They mustn’t access patient records without legitimate reasons to do so
  • Staff should not share personal information in chat forums or in a conversation where it could be overheard

How Should Medical Records Be Processed?

If you are a data controller, you must ensure you process data in accordance with GDPR and its enshrinement into UK law under the Data Protection Act 2018. It specifies that data controllers must develop an understanding and maintain that understanding as to how to govern personal information. Even if you are not a data controller, if you still handle personal data in your job, then you must make sure you are familiar with the policies relating to data management and confidentiality and follow correct procedures. You should also know where to ask for advice on such issues.

What Rights Do Patients Have To Access Their Own Medical Records?

Subject to certain safeguards, patients have the right to access their medical records. The ICO states there are no rules that those providing a Subject Access Request can ask for a fee to be paid.

How Can I Get Access To My Medical Records?

You should be able to ask your GP surgery, hospital or other medical services provider for your medical records. Those who receive such requests should help patients exercise their legal rights to obtain their own records.

Can You Access Someone Else’s Medical Records?

If you’re wondering ‘can someone access my medical records without my permission?’, the answer is that it depends on the situation. If someone attempts to access another person’s medical records, according to the NHS, they must:

  • Have a legal basis for accessing such records
  • Be in a position where you are acting on behalf of another person, and you have their authorisation to access their records
  • Have power of attorney (a legal authority) to access their medical records

How To Access Medical Records

If you are acting on behalf of another person, you should make a Subject Access Request to the organisation that is providing or has provided care to the patient. A healthcare provider could refuse such a request only if:

  • It could cause mental or physical health to the patient
  • The record has other information relating to another person

If a patient is 12 years old or under, someone with parental responsibility for that child could access their records.

Can I Sue The NHS For Breach Of Confidentiality?

In order to hold a valid data breach claim against another party, they must have failed to adhere to the Data Protection Act 2018. Your personal data must have been breached. You could potentially be in a position to make a claim for compensation if the breach has caused you emotional or financial harm.

Who Do I Report Unauthorised Access To NHS Medical Records?

If you believe you’ve been impacted by unauthorised access to patient medical records in the UK, you should, as per ICO advice, take the issue up with the healthcare provider in the first instance. You could write to them, explaining what has happened and how it has affected you.

When Do I Inform The ICO If Someone Illegally Accessed My Medical Records?

If you are unhappy with the response to your report of illegal access to medical records or you don’t receive a reply, you could consider reporting your concerns to the ICO. The ICO could launch their own investigation and may take enforcement action against the organisation. The ICO suggests raising your concerns with them within three months of the final meaningful contact from the organisation you’re concerned about.

However, you could seek legal advice. You could contact our team for a free eligibility assessment, and we could even provide you with a data breach lawyer to help you start your claim.

Compensation Payouts For Unauthorised Access To Patient Medical Records In The UK

If you intend to claim compensation for unauthorised access to patient medical records in the UK, a data breach lawyer may assess how the breach has affected you and review all the evidence to see what damages you could claim. GDPR gives victims of data breaches the right to seek compensation for material and non-material damage. While someone accessing your medical records illegally would not likely cause you financial harm, if it does, you could include such damages within your claim. When it comes to non-material damages, these could include the loss of privacy, distress and even psychological/psychiatric harm.

Vidal-Hall and others v Google Inc [2015] – Court of Appeal

In the case above, the judge discussed personal injury awards for psychological and psychiatric harm due to data breaches and said they should be considered. Therefore, you may need to visit an independent doctor so that they could provide a report detailing your injuries and prognosis. Courts and data breach solicitors could use this report alongside the Judicial College Guidelines, a publication, to come to an appropriate amount for your claim. Below, you will see figures from the JCG relating to psychological injuries. This could give you some idea of the compensation brackets for such injuries.

InjuryJCG Compensation BracketSeverity
Psychiatric Damage Generally£54,830 to £115,730Severe
Psychiatric Damage Generally£19,070 to £54,830Moderately Severe
Psychiatric Damage Generally£5,860 to £19,070Moderate
Psychiatric Damage Generally£1,540 to £5,860Less Severe
PTSD Injuries£59,860 to £100,670Severe
PTSD Injuries£23,150 to £59,860Moderately Severe
PTSD Injuries£8,180 to £23,150Moderate
PTSD Injuries£3,950 to £8,180Less Severe

To find out more about what you could receive in a data breach claim, get in touch with our advisors at any time. They can offer free legal advice and could potentially connect you with one of our expert solicitors.

More payouts for unauthorised access to medical records

As aforementioned, you could potentially also claim the costs of material damages. Under material damages, you can claim back the costs of specific financial losses relating to the incident.

For example, if someone accessed your medical records without your permission, it may be possible for them to then create a personalised phishing scam designed to trick you into sending them money. If this happens to you, and you can prove it was caused by the negligence of the data processor or controller for your healthcare provider, you could potentially claim compensation.

Call us to find out more about payouts for unauthorised access to medical records.

No Win No Fee Claims For Unauthorised Access To Patient Medical Records UK

Would you like to have a data breach solicitor help you with your claim? But are unsure as to how to go about paying them? You may be pleased to learn that you could potentially make a claim for unauthorised access to patient medical records in the UK under No Win No Fee terms. No Win No Fee data breach solicitors would generally work as follows:

  1. Your data breach solicitor sends a document to you known as a Conditional Fee Agreement. It sets out the details of a success fee, which you’d only have to pay in the event of a successful claim. The fee is subject to a legal cap. It is usually only a small percentage of your compensation.
  2. Once you’ve signed and sent the agreement back, the data breach solicitor would work on your case, negotiating compensation for you. Once your settlement comes through, they’d deduct the success fee, and the rest would be for your benefit.
  3. If your claim ends without compensation, the success fee wouldn’t be payable.

Want To Know More?

To learn more about making a breach of data claim under these terms, why not read our No Win No Fee guide? Or, you could always call our team; we’re always happy to answer any questions you might have. We could even provide you with a No Win No Fee solicitor to help you with your claim.

Contact Us About A Medical Records Data Breach

If you’re ready to make a claim because someone has gained unauthorised access to patient medical records in the UK and your personal data has been breached, we’d be glad to help you. We could assess your eligibility to claim for free. We could also provide you with a No Win No Fee solicitor to help you get the compensation your case deserves. You can reach us via:

Medical Data Breach Statistics

According to the ICO’s Q2 data breach reports for 2020/2021, they received a number of reports from the health sector. There were a total of 442 breaches reported in Q2 of 2020/2021 in the sector, due to both cybersecurity and non-cyber security incidents. These included:

  • 10 phishing incidents
  • 3 incidents involving ransomware
  • 73 incidents where someone sent an email to the wrong recipient
  • 54 incidents where someone faxed or posted data to the wrong recipient
  • 2 incidents relating to unauthorised access
  • 24 incidents where personal data was verbally disclosed

FAQs On Unauthorised Access To Patient Medical Records

Can I Sue Someone For Accessing My Medical Records?

This depends on whether someone has accessed your records with the proper authorisation or not. If they do not have your consent or the proper authority to access your records, you would usually need to take action against the data controller.

Can You Sue The NHS For Breach Of Confidentiality?

If the NHS has breached your confidentiality by not preventing unauthorised access to patient medical records in the UK, call our team for a free assessment on this.

Do I Have A Right To Know Who Accessed My Medical Records UK?

You do have a right to know who accessed your medical records. You could make a request to the healthcare provider to find this out.

Who can access my medical records?

Only those with proper authorisation should be able to access your medical records.

For more information, you can call us on the number above.

Can Someone Access My Medical Records Without My Permission?

The NHS would usually need your consent to allow someone to access your medical records. The NHS could share your information under ‘implied consent’, for example with NHS staff and social care staff who are supporting you or caring for you. They could only share this information in certain circumstances.

However, someone can access your medical records without your permission in cases of hacking or cybersecurity incidents. If your personal data is not properly protected, it could be accessed by unauthorised parties. If your personal data has been breached and this has led to material or non-material damages of some kind, get in touch with us to find out how you could claim.

Can NHS Staff Look At Their Own Records?

NHS staff could look at their own records if they make a request to see them. However, they should not use NHS IT systems to do so, according to this set of policies and procedures. They should, just like anyone else, make a subject access request to view such records.


Requesting Medical Records – Here, you can find out how to access your own medical records.

NHS Data Breach Claims – You can find general information about data breach claims against the NHS here.

HR Data Breaches – If HR has breached your personal data, this guide could be of use to you.

Legal Expert Reviews – You can find out what other people have thought of our service levels here.

Other Legal Expert Guides:

If you still have any questions about making claims in the UK for unauthorised access to patient medical records, then you can contact Legal Expert for advice and assistance. You can reach our advisors either online or on the phone by using the contact details featured in this guide. Our advisors can help with any queries you may have, such as whether you have grounds to claim because someone gained access to your medical records without permission.

    Contact Us

    Fill in your details below for a free callback

    Name :
    Email :
    Phone :
    Services :
    Time to call :

    Latest News