Medical data breach and the exposure of private patient information

A medical data breach is often serious as our medical data often represents the most personal information that we will ever entrust to a third party.

The faith we invest in medical professionals to protect this data is indicative of our confidence in their ability to care, and in the health service more generally.

However, this trust is at risk of being eroded due to the succession of medical data breaches that we have encountered, either first-hand or in the headlines, in recent years. When such breaches occur, the exposed information can be highly sensitive and, depending on the affected individual’s circumstances, can dramatically affect their mental state and/or their relationships. It is vital that the confidential doctor-patient relationship at the heart of the NHS is not damaged by a failure to prevent these exposures.

What constitutes a medical data breach?

Your right to data privacy within a medical context is ensured through two key principles: the right to patient confidentiality, by which all medical professionals are trained to operate, and the overarching General Data Protection Regulation that governs data processing in the UK.

According to these regulatory principles, doctors are permitted to share information where there is clear purpose related to the treatment of a patient. For example, your GP may disclose your details to an appropriate specialist for your medical condition at a hospital. However, it would be inappropriate for them to grant access to another uninvolved practitioner or an external third party without good reason and/or with your consent.

Data breaches can also stem from a lack of security in an organisation’s computer systems, which can make data vulnerable to hacks. In such cases, while the organisation may not be the direct culprit of a cyberattack, they can be held responsible for failing to adequately protect your data.

Past cases: medical data breach exposes HIV status

In one of the most notorious cases of recent years, a medical data breach exposed the HIV status of almost 800 patients at the 56 Dean Street. The clinic was subsequently fined £180,000 in 2016 for accidentally revealing the names and email addresses of the patients in a mass email, and we continue to represent a large group of victims.

The error, unsurprisingly, caused immense distress to many of the victims, with fears that the exposure of their details would make them a recognizable HIV patient in their local London borough. A similar email error by NHS Highland also more recently saw the contact details and dates of birth of 284 people mistakenly sent to members of the public in  similar fashion.

In July 2020, a medical data breach also exposed the bank account details and trade correspondence of dentists belonging to the British Dental Association, after hackers accessed the organisation’s private data. This incident highlights that medical professionals can also fall victim to such breaches, as well as demonstrating the potential financial risks of information exposure. With these bank details, hackers could have been able to execute fraud.

Claiming compensation for a medical data breach

As the examples above demonstrate, a medical data breach can expose all kinds of personal information, with varying psychological and financial side-effects for the victims.

In any case, where your doctor, surgery or hospital has failed to adequately protect your information, you could be entitled to compensation. Do not hesitate to contact The Data Leak Lawyers if you have suffered distress or losses as a result of a medical data breach, as we can offer you free, no-obligation advice on your compensation claim.

The Transform Hospital Group data breach

Domestic violence and data protection breaches