Unauthorised Access To Patient Medical Records UK – Can I Claim?
By Cat Way. Last Updated 6th September 2023. In this guide, we look at how you could go about claiming compensation for unauthorised access to patient medical records in UK hospitals. Your medical records may contain sensitive information relating to illnesses and medical conditions that you either currently
have or have experienced in the past. They also usually contain personal details such as your name and address, your next of kin, your ethnic origin and other personal data.
As such, any organisation that processes your medical records should take great care to ensure they protect that personal data. But what happens if someone gains unauthorised access to patient medical records in the UK? What consequences could this cause? And could a person who suffers harm because of inappropriate access to medical records in the UK claim compensation?
Select A Section
- Can I Claim Compensation For Unauthorised Access To Patient Medical Records UK?
- Evidence To Support A Claim After A Patients Medical Records Were Accessed Without Authorisation
- Medical Data Breach – Unauthorised Access To Patient Medical Records
- Cyber Security Considerations For NHS Patient Data
- Disclosure of Medical Information Without Consent UK
- How Should Medical Records Be Processed?
- What Rights Do Patients Have To Access Their Own Medical Records?
- Can You Access Someone Else’s Medical Records?
- Who Do I Report Unauthorised Access To NHS Medical Records?
- Compensation Payouts For Unauthorised Access To Patient Medical Records In The UK
- No Win No Fee Legal Help Following Inappropriate Access To Medical Records In The UK
- Learn More About Claiming Compensation For Unauthorized Access To Patient Medical Records
There are a number of different NHS service providers that can decide why and how they need to use your personal data (to add to your medical records, for example). As such, they could be considered a data controller or a data processor. Therefore, they should ensure they protect against unauthorised access to medical records for data subjects. They would have a legal obligation to do so under the Data Protection Act 2018 and the UK GDPR. As well as this legislation, there is also The Access to Health Records Act 1990 and the Medical Reports Act 1988 which apply to accessing medical records under certain circumstances.
You could potentially claim compensation for unauthorised access to patient medical records within UK services if the following applies and can be proven with evidence:
- You were directly affected by this breach of data
- The breach caused you to suffer emotional and/or financial harm
- The breach occurred because the organisation responsible for holding your medical records failed to take the correct steps to secure this information through positive wrongful conduct
You may be able to claim whether the breach was caused by a cybersecurity incident such as hacking or a mistake by an NHS worker. But what is unauthorised access to patient medical records in the UK? And what data could be breached?
Sharing Medical Records Without Consent – Can Medical Records Be Shared?
A medical facility sharing your medical records without your consent could be an example of a breach of data protection law. According to the ICO, any data concerning health would generally be considered special category data under the UK GDPR, meaning it should be afforded further protections due to the sensitive nature of the information.
Accessing medical records without adequate reason or permission could also be an example of a data breach – even if the information is not shared.
To find out if you could be compensated for the physical or psychological impact of a medical data breach, get in touch with our solicitors today.
Data Breach Of Medical Records – How Long Do I Have To Claim?
Before we examine how long you have to claim if your personal data was included in a patient data breach, we will look at what personal information could be compromised. Firstly, under Article 9 of the UK GDPR, information that could be found within your medical records, such as genetic data, is considered special category data. This means that along with other sensitive data, such as your ethnic origin, race or philosophical beliefs, medical data is typically given additional protection.
Personal data is information that can be used to identify a data subject. It includes: your name, date of birth, address and phone number. This information could be included in a data breach of medical records. In addition, if your personal data is lost or altered without your authorisation, such as deleting your address from your medical records, it could delay important medical appointments causing further harm.
The time limits for claiming if you suffered harm due to a breach of your personal data are typically as follows:
- 6 years from the date of knowledge for claiming against a non-public body
- 1 year from the date of knowledge for claiming against a public body
Reporting A Data Breach
If you would like to know how to report a breach of patient confidentiality, it depends on the nature of the unauthorised disclosure. For example, if a nurse or receptionist verbally shares your personal data over the phone, you might be able to report the matter to their supervisor. Additionally, you might like to report the unauthorised disclosure to the ICO, in the same way you would report any other type of data breach incident.
Should an organisation suspect that your personal data was included in a data breach, they must inform you without undue delay if it could infringe on your rights. For example, the organisation may send you a letter. This letter could be submitted as evidence should you wish to claim.
Call our advisors for advice about reporting your personal data’s inclusion in a breach. The advice they give is free.
You may be wondering what evidence could support a personal data breach claim after unauthorised parties had access to your medical records in the UK.
Evidence can help strengthen multiple areas of your claim, and you can collect this alone or with the help of an expert No Win No Fee solicitor. For example, with the right evidence, you can illustrate how the breach occurred, how it has affected your mental health, and how it has affected your finances. Some examples of evidence you could use to support your claim include:
- Letter of notification: In some cases, you may receive a letter of notification from the organisation responsible for the breach. This can then be used as evidence, as it may state what data was affected and how the breach occurred.
- Correspondence with the ICO: Correspondence with the ICO, such as the results of an investigation or a complaint, could also be used as evidence in your claim.
- Medical records: Your medical records can support a claim for damage to your mental health, as these can illustrate the effect the breach has had on your well-being.
- Financial statements: Financial documents such as bank statements and credit reports can help demonstrate how the breach has affected you financially.
These are only a few examples of evidence that you could collate and use to help strengthen your claim. To learn more about claiming after a data breach that has affected a patient’s medical records, contact our team today.
The Information Commissioner’s Office (ICO) is the UK’s independent body that ensures organisations comply with data protection legislation. They define a personal data breach as a security incident which may result in your information being accidentally or unlawfully destroyed, lost, altercated, disclosed or accessed.
Unauthorized access to patient medical records in the UK is when medical data is unlawfully accessed by staff or persons who are not required to process the data in their daily job roles and is classed as a medical data breach. This may occur via a phishing attack, or through medical computer systems being hacked or targeted by malware. It is down to organisations to protect you against such threats by ensuring staff receive cybersecurity training and having their computer systems protected by a firewall.
However, such a data breach could also occur via a non-cyber incident. For example, if an organisation does not store your medical records in locked filing cabinets, your data could be lost or stolen. Additionally, your medical records could be emailed to the wrong home address despite your correct address being on file.
How Could Unauthorised Access To Patient Medical Records Happen?
There are many ways that someone could get unauthorised access to patient medical records, including:
- A staff member leaves your records open and unattended on a public-facing desk.
- Your medical records are faxed to the wrong address, or posted to the wrong postal address.
- Inadequate cybersecurity defences allow cybercriminals to access your medical records online.
As we’ve already mentioned, you must be able to prove that the medical records data breach was caused by the organisation’s wrongful conduct in order to claim data breach compensation.
Our advisors are here to help if you’d like to learn more about making a data breach compensation claim. Get in touch today to start your free consultation.
The House of Commons put together a briefing paper in May 2020 which covered the access and sharing of patient health records. It covers patient access to medical records as well as the authorisation of persons other than the patient to access patient records. The document also includes the new requirements of the General Data Protection Regulations (GDPR) as they are now in the Data Protection Act 2018.
The 10 Data Standards
It mentions the 10 data standards that the NHS should adhere to which are:
- Staff must ensure that they handle, transmit and store all personal confidential data securely, whether it is in paper or electronic form.
- They must understand their own responsibilities to adhere to the Data Security Standards, including their personal accountability for avoidable or deliberate breaches and their obligations to responsibly handle information.
- Staff must complete security training annually. They will be required to sit a test, which they must pass.
- Personal confidential information should only be accessed by staff who need it for their role; such access should be removed when it is no longer required.
- There should be a review of processes annually at least to identify issues and improve processes that may have caused near misses or breaches.
- The NHS should ensure that it identifies and resists cyber attacks. It should act immediately following a near miss or data breach. Reports should be made to senior management within 12 hours of them being detected.
- There should be a continuity plan in place to respond to data security threats and this should be tested at least annually.
- No operating systems that are unsupported should be used within the NHS IT estate.
- There should be a strategy in place to protect from proven cybersecurity framework threats, which should be reviewed annually, at least.
- Any IT supplier is held accountable to protect the personal confidential information they are required to process.
It is vital that those who handle personal data do so securely and confidentially. The breach of personal data cannot only cause financial problems but also mental illness.
In the UK, the Access to Medical Reports Act 1988 defines your rights to access your medical records. Obtaining medical records in the UK usually involves contacting the relevant medical service, such as your hospital, GP or dentist, and requesting them. Healthcare records can include handwritten notes from your doctor, medical reports, audio and visual recordings or correspondence with a medical professional.
Improper conduct regarding the disclosure of medical information without consent in the UK could include:
- Members of staff discussing patient details that are confidential with unauthorised parties.
- Sensitive information being spoken about in patient wards or reception areas, leading to it being overheard
- Losing patient notes that are vital to their recovery
- An email from a specialist being lost or deleted by mistake
Regarding what medical professionals can do in this regard, they should ensure that sensitive patient information should not be shared unless completely necessary, passwords should be kept private and there should only ever be a legitimate reason to access patient records.
You may be able to claim if your medical information has been shared without consent, leading to you suffering some form of psychological injury. This could lead to stress, anxiety or, in extreme cases, Post-Traumatic Stress Disorder (PTSD).
What Is Recommended?
Guidance about the access and disclosure of personal records includes the following recommendations:
- Should not leave patients notes or records unattended on paper or on a screen
- Staff should not share passwords
- They mustn’t access patient records without legitimate reasons to do so
- Staff should not share personal information in chat forums or in a conversation where it could be overheard
If you are a data controller, you must ensure you process data in accordance with GDPR and its enshrinement into UK law under the Data Protection Act 2018.
It specifies that data controllers must develop an understanding and maintain that understanding as to how to govern personal information. Even if you are not a data controller, if you still handle personal data in your job, then you must make sure you are familiar with the policies relating to data management and confidentiality and follow correct procedures.
You should also know where to ask for advice on such issues.
Subject to certain safeguards, patients have the right to access their medical records. The ICO states there are no rules that those providing a Subject Access Request can ask for a fee to be paid.
Can I Access My Medical Records?
You may be wondering, “can I access my medical records?”. You should be able to access your medical records, but how they are accessed may depend on the type of information you want.
Any healthcare service that keeps your personal information should have security measures that prevent unlawful or inappropriate access to your medical records. For example, if you want to access medical records from your GP, they may ask you to first prove your identity before giving out any information.
If a healthcare provider does not have the correct security measures in place, and your medical records are accessed by an unauthorised third party as a result, you may be able to claim if you can prove negligence.
To learn more about claiming, please contact us for free using the details above.
If you’re wondering ‘can someone access my medical records without my permission?’, the answer is that it depends on the situation. If someone attempts to access another person’s medical records, according to the NHS, they must:
- Have a legal basis for accessing such records
- Be in a position where you are acting on behalf of another person, and you have their authorisation to access their records
- Have power of attorney (a legal authority) to access their medical records
How Much Does It Cost To Get Your Medical Records In The UK?
You might wonder, ‘how much does it cost to get your medical records in the UK?’. Under UK GDPR, you are able to make a subject access request for your medical records for free. However, if the request is unfounded or excessive, a fee could be charged,
Additionally, the Access to Medical Reports Act 1988 states that patients should have access to their medical report and the opportunity to review it before it is submitted to an organisation or employer that has requested access.
However, a health professional or hospital sharing your medical records may refuse the request if they think it could be significantly damaging to your physical or mental health if you were to see your records. Furthermore, if the disclosure would expose data about another non-consenting person, your request for access may be denied.
If an organisation or employer has gained unauthorised access to your medical records, our data breach solicitors could help you. Get in touch for additional information.
If you believe you’ve been impacted by unauthorised access to patient medical records in the UK, you should, as per ICO advice, take the issue up with the healthcare provider in the first instance. You could write to them, explaining what has happened and how it has affected you.
When Do I Inform The ICO If Someone Illegally Accessed My Medical Records?
If you are unhappy with the response to your report of illegal access to medical records or you don’t receive a reply, you could consider reporting your concerns to the ICO. The ICO could launch their own investigation and may take enforcement action against the organisation. The ICO suggests raising your concerns with them within three months of the final meaningful contact from the organisation you’re concerned about.
However, you could seek legal advice. You could contact our team for a free eligibility assessment, and we could even provide you with a data breach lawyer to help you start your claim.
If you intend to claim compensation for unauthorised access to patient medical records in the UK, a data breach lawyer may assess how the breach has affected you and review all the evidence to see what damages you could claim. GDPR gives victims of data breaches the right to seek compensation for material and non-material damage. While someone accessing your medical records illegally would not likely cause you financial harm, if it does, you could include such damages within your claim. When it comes to non-material damages, these could include the loss of privacy, distress and even psychological/psychiatric harm.
Vidal-Hall and others v Google Inc  – Court of Appeal
In the case above, the judge discussed personal injury awards for psychological and psychiatric harm due to data breaches and said they should be considered. Therefore, you may need to visit an independent doctor so that they could provide a report detailing your injuries and prognosis. Courts and data breach solicitors could use this report alongside the Judicial College Guidelines, a publication, to come to an appropriate amount for your claim. Below, you will see figures from the JCG relating to psychological injuries. This could give you some idea of the compensation brackets for such injuries.
|Injury||JCG Compensation Bracket||Severity|
|Psychiatric Damage Generally||£54,830 to £115,730||Severe|
|Psychiatric Damage Generally||£19,070 to £54,830||Moderately Severe|
|Psychiatric Damage Generally||£5,860 to £19,070||Moderate|
|Psychiatric Damage Generally||£1,540 to £5,860||Less Severe|
|PTSD Injuries||£59,860 to £100,670||Severe|
|PTSD Injuries||£23,150 to £59,860||Moderately Severe|
|PTSD Injuries||£8,180 to £23,150||Moderate|
|PTSD Injuries||£3,950 to £8,180||Less Severe|
To find out more about what you could receive in a data breach claim, get in touch with our advisors at any time. They can offer free legal advice and could potentially connect you with one of our expert solicitors.
What else can payouts for unauthorised access to medical records include?
As aforementioned, you could potentially also claim the costs of material damages. Under material damages, you can claim back the costs of specific financial losses relating to the incident.
For example, if someone accessed your medical records without your permission, it may be possible for them to then create a personalised phishing scam designed to trick you into sending them money. If this happens to you, and you can prove it was caused by the negligence of the data processor or controller for your healthcare provider, you could potentially claim compensation.
Call us to find out more about payouts for unauthorised access to medical records.
If you are interested in making a claim for inappropriate access to your medical records in the UK, one of our solicitors may be able to help. Working with a solicitor can bring many benefits to your claim. For example, a solicitor can help you gather evidence, talk to witnesses, and explain any complex legal jargon.
Our solicitors offer their services on a No Win No Fee basis. They do this by offering their clients a Conditional Fee Agreement (CFA). Under a CFA, your solicitor won’t take any fees to start working on your claim or to continue their services. Likewise, if your claim doesn’t succeed, our solicitor won’t take a fee for their work.
If your medical data breach claim does succeed, then your solicitor will be due a success fee. This fee is taken from your compensation as a small percentage, though the amount they can take is capped by law. This legislative cap allows you to keep the majority share of what you receive.
To find out if one of our solicitors could help you make a personal data breach claim, contact our team of advisors today. They can offer a free evaluation, following which they may be able to connect you with one of our solicitors. To get started:
Below, you can find more useful information on the topic of unauthorized access to patient medical records:
- Requesting Medical Records – Here, you can find out how to access your own medical records.
- NHS Data Breach Claims – You can find general information about data breach claims against the NHS here.
- HR Data Breaches – If HR has breached your personal data, this guide could be of use to you.
- Legal Expert Reviews – You can find out what other people have thought of our service levels here.
Other Legal Expert Guides:
Below, you can find more of our guides on data breach claims:
- Making A Data Breach Claim Against Your GP
- Can You Claim For Stress Due To A Data Breach?
- How To Claim If An Employer Breached Data Protection
If you still have any questions about making claims in the UK for unauthorised access to patient medical records, then you can contact Legal Expert for advice and assistance. You can reach our advisors either online or on the phone by using the contact details featured in this guide. Our advisors can help with any queries you may have, such as whether you have grounds to claim because someone gained access to your medical records without permission.