By Cat Way. Last Updated 24th March 2025 In this guide, we look at how you could go about claiming compensation for unauthorised access to patient medical records in UK hospitals. Your medical records may contain sensitive information relating to illnesses and medical conditions that you either currently have or have experienced in the past. They also usually contain personal details such as your name and address, your next of kin, your ethnic origin and other personal data.
As such, any organisation that processes your medical records should take great care to ensure they protect that personal data. But what happens if someone gains unauthorised access to patient medical records in the UK? What consequences could this cause? And could a person who suffers harm because of inappropriate access to medical records in the UK claim compensation?
You can also watch our video below which explains the key takeaways from our guide:
Select A Section
- Can I Claim Compensation If Someone Gained Unauthorised Access To My Medical Records?
- What Is Personal Data?
- Unauthorised Access To Patient Medical Records – What Evidence Do You Need To Claim?
- How Could Unauthorised Access To Patient Medical Records Happen?
- Compensation Payouts For Medical Data Breaches
- No Win No Fee Data Breach Claims
- Learn More About Claiming Compensation For A Personal Data Breach
Can I Claim Compensation If Someone Gained Unauthorised Access To My Medical Records?
There are a number of different service providers that can decide why and how they need to use your personal data (to add to your medical records, for example). As such, they could be considered a data controller or a data processor. A data controller decides how and why your personal data is used, whereas a processor follows their instructions to process the data.
All data controllers and processors must comply with the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR). If they fail to do so, this could lead to a personal data breach. A data breach occurs when a security incident affects the confidentiality, availability, or integrity of your personal data.
You could potentially claim compensation for unauthorised access to patient medical records if you can establish that:
- You were directly affected by this breach of data
- The breach caused you to suffer emotional and/or financial harm
- The breach occurred because the organisation responsible for holding your medical records failed to take the correct steps to secure this information through positive wrongful conduct
What Is Unauthorised Access To Patient Medical Records?
Unauthorised access to patient records involves any entity apart from the data controller or the processor accessing medical data. Article 5 of the UK GDPR mandates organisations to safeguard personal and sensitive data, including healthcare providers.
However, unauthorised access to patient medical records could occur due to the following reasons:
- Cybercrime: If a healthcare organisation doesn’t have a strong security policy in place, medical records are a common target for cybercriminals due to their sensitive nature.
- Human Error: Your medical records could be breached due to a simple mistake, such as sending an email to the wrong person or erroneously sharing a password.
- Physical theft: A data breach could also occur due to mistakes like not destroying a record correctly or misplacing a folder.
Under normal circumstances, inappropriate access to your medical records in the UK shouldn’t be possible. In order to access your medical data, the following needs to be established about the person attempting to do so:
- There is a legal basis for trying to access your medical records.
- They’re acting on behalf of the data subject or the person who could be identified with the help of the personal data.
- They have a power of attorney.
The only other way for somebody to obtain your medical records is through illegal means or if they’ve erroneously received this information.
Contact our advisors for more information on safeguarding medical data.
What Is Personal Data?
You may be wondering what personal data is and how that applies to unauthorised access to patient medical records.
In short, personal data is information that can be used to identify an individual, either alone or when combined with another piece of information. For example, you could be identified with a combination of your date of birth and home address.
There is a subcategory of data which requires extra protection because of its sensitivity. This is called special category data, and this includes your medical records. It also covers the likes of your:
- Religious beliefs.
- Gender.
- Sexual orientation.
- Ethnicity.
Given that medical data is in the special category bracket, you may ask: “Can someone access my medical records without my permission?” The answer is no. Even a trusted person has to apply to access medical data as a proxy with the patient’s permission.
If someone has been given inappropriate access to medical records and your life or mental health has been impacted as a result, you may have the right to claim. Simply call us today for a free evaluation and let us tell you if an expert solicitor could pick up your data breach claim.
Unauthorised Access To Patient Medical Records – What Evidence Do You Need To Claim?
You may be wondering what evidence could support a personal data breach claim after unauthorised parties had access to your medical records in the UK.
Evidence can help strengthen multiple areas of your claim, and you can collect this alone or with the help of an expert No Win No Fee solicitor. For example, with the right evidence, you can illustrate how the breach occurred, how it has affected your mental health, and how it has affected your finances. Some examples of evidence you could use to support your claim include:
- Letter of notification: In some cases, you may receive a letter of notification from the organisation responsible for the breach. This can then be used as evidence, as it may state what data was affected and how the breach occurred.
- Correspondence with the ICO: Correspondence with the ICO, such as the results of an investigation or a complaint, could also be used as evidence in your claim.
- Medical records: Your medical records can support a claim for damage to your mental health, as these can illustrate the effect the breach has had on your well-being.
- Financial statements: Financial documents such as bank statements and credit reports can help demonstrate how the breach has affected you financially.
These are only a few examples of evidence that you could collate and use to help strengthen your claim. To learn more about claiming after a data breach that has affected a patient’s medical records, contact our team today.
How Could Unauthorised Access To Patient Medical Records Happen?
The Information Commissioner’s Office (ICO) is the UK’s independent body that ensures organisations comply with data protection legislation. They define a personal data breach as a security incident which may result in your information being accidentally or unlawfully destroyed, lost, altercated, disclosed or accessed.
Unauthorised access to patient medical records in the UK is when medical data is unlawfully accessed by staff or persons who are not required to process the data in their daily job roles and is classed as a medical data breach. This may occur via a phishing attack, or through medical computer systems being hacked or targeted by malware. It is down to organisations to protect you against such threats by ensuring staff receive cybersecurity training and having their computer systems protected by a firewall.
However, such a data breach could also occur via a non-cyber incident. For example, if an organisation does not store your medical records in locked filing cabinets, your data could be lost or stolen. Additionally, your medical records could be emailed to the wrong home address despite your correct address being on file.
Examples Of Medical Data Breaches
There are many ways that someone could get unauthorised access to patient medical records, including:
- A staff member leaves your records open and unattended on a public-facing desk.
- Your medical records are faxed to the wrong address, or posted to the wrong postal address.
- Inadequate cybersecurity defences allow cybercriminals to access your medical records online.
As we’ve already mentioned, you must be able to prove that the medical records data breach was caused by the organisation’s wrongful conduct in order to claim data breach compensation.
Our advisors are here to help if you’d like to learn more about making a data breach compensation claim. Get in touch today to start your free consultation.
Compensation Payouts For Medical Data Breaches
Should you make a successful personal data breach claim, you could receive up to two heads of compensation. These include material damage compensation, and non-material damage compensation.
The first head of claim, non-material damage compensation, relates to the psychological effects of the personal data breach. For example, you could suffer from stress, anxiety, or depression following a breach. Similarly, it could exacerbate any existing conditions, such as post-traumatic stress disorder.
Those who value this head of your claim may refer to the Judicial College Guidelines (JCG). This document can help, as it provides guideline compensation amounts for different injuries, including psychological injuries.
Below, you can find some examples of these entries. The figures in this table are guidelines only, and the first entry in this table has not been taken from the JCG.
| Injury | Severity | JCG Compensation Bracket |
|---|---|---|
| Severe Psychological Harm Plus Financial Losses | Serious | Up to £150,000+ |
| Psychiatric Damage Generally | Severe | £66,920 to £141,240 |
| Psychiatric Damage Generally | Moderately Severe | £23,270 to £66,920 |
| Psychiatric Damage Generally | Moderate | £7,150 to £23,270 |
| Psychiatric Damage Generally | Less Severe | £1,880 to £7,150 |
| PTSD | Severe | £73,050 to £122,850 |
| PTSD | Moderately Severe | £28,250 to £73,050 |
| PTSD | Moderate | £9,980 to £28,250 |
| PTSD | Less Severe | £4,820 to £9,980 |
What Is Material Damage Compensation?
Material damage compensation addresses the financial losses you incur as a result of the breach. For example, this could include lost earnings if you needed to take time off work to recover from the psychological effects of the breach.
This head of claim can also help if money is stolen from your account, your credit score is damaged, or if someone steals your identity.
To learn more about claiming compensation for unauthorised access to patient health records, contact our team today.
No Win No Fee Data Breach Claims
If you are interested in making a claim for inappropriate access to your medical records in the UK, one of our solicitors may be able to help. Working with a solicitor can bring many benefits to your claim. For example, a solicitor can help you gather evidence, talk to witnesses, and explain any complex legal jargon.
Our solicitors offer their services on a No Win No Fee basis. They do this by offering their clients a Conditional Fee Agreement (CFA). Under a CFA, your solicitor won’t take any fees to start working on your claim or to continue their services. Likewise, if your claim doesn’t succeed, our solicitor won’t take a fee for their work.
If your medical data breach claim does succeed, then your solicitor will be due a success fee. This fee is taken from your compensation as a small percentage. However, the amount they can take is capped by law. This legislative cap allows you to keep the majority share of what you receive.
To find out if one of our solicitors could help you make a personal data breach claim, contact our team of advisors today. They can offer a free evaluation, following which they may be able to connect you with one of our solicitors. To get started:
- Call us on 0800 073 8804
- Contact us online
- Use the live chat feature
Learn More About Claiming Compensation For A Personal Data Breach
Below, you can find more useful information on the topic of unauthorised access to patient medical records:
- Requesting Medical Records – Here, you can find out how to access your own medical records.
- NHS Data Breach Claims – You can find general information about data breach claims against the NHS here.
- HR Data Breaches – If HR has breached your personal data, this guide could be of use to you.
- Legal Expert Reviews – You can find out what other people have thought of our service levels here.
You can also read these links from across the web:
- Government guidance on the subject access request procedure.
- Information from the NHS on how to obtain copies of your medical records.
- Details from the NHS on viewing your GP health records.
If you still have any questions about making claims in the UK for unauthorised access to patient medical records, then you can contact Legal Expert for advice and assistance. You can reach our advisors either online or on the phone by using the contact details featured in this guide.
