How To Make A Claim For A Medical Conditions Data Breach

By Stephen Dallas. Last Updated 10th January 2023. If you are looking to claim compensation following a medical conditions data breach, you have come to the right place. In this guide, we aim to show you how you could get the maximum medical data breach compensation amount you could be owed.

medical conditions data breach

A guide on claiming following a medical conditions data breach

Both the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA) include provisions that make it possible for you to make a claim for a medical data breach in the UK.

Our team of advisors is dedicated to supporting potential claimants. Although data breach compensation cannot change what you have been through, it hopefully softens the blow and allows you to move on from what may have been a traumatic experience for you.

To find out how we could help you, contact us for more information. You may:

Choose A Section

  1. Can I Claim Compensation For A Medical Conditions Data Breach?
  2. What Are Medical Conditions Data Breaches?
  3. Possible Data Breaches Involving Medical Professionals
  4. How Much Can I Get For A Medical Conditions Data Breach?
  5. Should I Make A No Win No Fee Agreement?
  6. Further Guidance About Medical Conditions Data Breaches

Can I Claim Compensation For A Medical Conditions Data Breach?

A key element of claiming compensation for a medical conditions data breach is understanding whether there has been a breach of UK GDPR. Whoever controls or processes medical data must abide by several key principles including:

  • Personal data must be used in a fair, lawful and transparent manner
  • It should be clearly specified to a data subject why their data is being used
  • Only keep personal data that is necessary and relevant to the purpose for which it was collected for
  • Personal information should be up to date 
  • Personal data should be securely disposed when no longer needed
  • Adequate safety measures should be in place to ensure data is protected when being processed and stored

Personal data is information that can be used to identify you. Identifiable data relating to your health is seen as sensitive and needs extra protection.

A data controller, for example, a GP surgery or hospital, decides why personal data is processed and how it is used. They may process this personal data. Additionally, a data processor, such as a third-party company external to a health organisation, may be used to carry out the task of processing data on the data controller’s behalf. 

If either the data controller or data processor is found to have breached data protection law and their wrongful conduct caused the breach, you might have grounds for a valid claim. However, you must have suffered psychological harm or financial damage, or both, in order to claim medical data breach compensation. Our advisors offer a free consultation with no obligation. 

Medical Data Breach Compensation – Evidence You’ll Need To Claim

When making a claim for compensation for a data breach in the UK, it’s important to gather evidence of any harm or loss you have suffered as a result of the breach.

Below are some examples of the type of evidence people can consider collecting for medical data breaches claims:

  • Evidence of material damage: Bank statements, receipts or notification letters from your bank could offer proof of financial losses you have incurred.
  • Evidence of non-material damage: Correspondence from your therapist, medical reports or a diagnosis from a medical professional can prove psychological injuries such as anxiety or post-traumatic stress disorder (PTSD).

Additionally, a data controller or processor should notify you if a data breach has potentially affected your personal data. You could use this letter of notification as evidence that you have been the subject of a data breach.

Please don’t hesitate to contact us if you would like to ask an advisor any questions about claiming for medical records data breaches. Our advisors offer free legal advice and could answer your queries about collecting evidence to secure a medical data breach compensation amount.

What Are Medical Conditions Data Breaches?

When a data breach of medical records occurs, the data controller should inform the Information Commissioner’s Office (ICO) within 72 hours. The ICO is the UK’s independent body that enforces data protection laws. 

Although the ICO cannot get you a data breach settlement, the authority may impose a penalty on an organisation that commits a data protection breach of medical records.  

The ICO defines a personal data breach as a security incident in which personal data is unlawfully or accidentally:

  • Lost
  • Destroyed
  • Disclosed
  • Altered
  • Accessed

Furthermore, health data is given extra protection by data protection law because it is special category data, meaning the information is more sensitive. The UK GDPR defines health data in Article 4(15) as ‘data concerning health’ and may relate to information about your physical and mental health status. Health data may include:

  • Information concerning your medical history, such as diagnoses and clinical treatments
  • Medical examination data
  • Appointment details or anything which reveals your health status
  • Data recorded for health service registers
  • Your NHS number
  • Community Health Index (CHI) number in Scotland

If you can prove that you have suffered financial loss or psychological harm because of a data breach of medical information, and that this occurred because of wrongful conduct on the part of a data controller or data processor, you might be able to claim. Our advisors are available 24/7 to help you get the best possible settlement for a data breach claim.

Possible Data Breaches Involving Medical Professionals 

You might be wondering, ‘when can medical confidentiality be breached?’ Or, ‘when can a doctor breach confidentiality?’ In this section, we’ll discuss the possible causes of data breaches to help you understand how you could get compensation for a data breach claim

Whilst data security incidents may occur due to cybercrimes, like phishing scams or ransomware threats, a medical conditions data breach may also happen through human error.

Other examples of cybercrimes that can potentially lead to a medical conditions data breach can include:

  • Hacking
  • Distributed denial of service (DDOS) attacks against a website
  • Theft of paperwork, computers or storage devices containing sensitive data on patients

Examples of human errors that could lead to a data breach of medical records include the following:

  • A letter with a patient’s confidential data is sent or faxed to the wrong recipient
  • Paperwork or an electronic device containing patient data is misplaced and/or lost
  • An email containing a patient’s sensitive data is accidentally sent to the wrong recipient
  • Paperwork containing patient data that is no longer needed or should be destroyed is not disposed of in a secure manner

The consequences of a data breach in healthcare can be very severe for patients affected by them and the health organisations involved. Examples of healthcare data breach incidents that have happened for real in the past include the following:

  • HIV Scotland failed to use BCC in an email sent to 105 people, meaning email addresses and some names were visible to all the recipients. In response, the ICO fined the Scottish charity £10,000.
  • The ICO ordered Croydon Health Services NHS Trust to introduce new data protection measures after an investigation found that staff had sent medical records to the wrong address. New processes introduced included double-checking address details before sending emails.
  • When NHS Surrey failed to check if an external company had properly disposed of thousands of children’s patient records, the incident led to patients’ information “effectively being sold online”. The ICO fined NHS Surrey £200,000.


The Latest Data Breach Statistics 

The latest data security incident statistics (Q4 of 2021/2022) published by the ICO found that the health sector was most frequently affected by data breaches. The most common incident types were as follows:

  • Unauthorised access (74)
  • Other non-cyber incidents (80)
  • Data emailed to incorrect recipient (57)
  • Data posted or faxed to the wrong address (71)
  • Loss or theft of paperwork (45)

If a medical conditions data breach affected you but the type of incident is not listed above, don’t worry as you still might be able to start a claim. Our team of advisors are available to contact, and they could talk you through matters such as the criteria for having a valid claim following a breach of medical information. Furthermore, if our advisors determine you have a strong case, they could potentially connect you to a solicitor from our panel to help you get a payout for your medical records breach claim.

How Much Can I Get For A Medical Conditions Data Breach?

When working out the compensation amount for a data breach claim, we should firstly discuss two cases that have affected how much you can seek for a personal data breach.

Following Vidal-Hall and others v Google Inc (2015), the Court of Appeal decided it is now possible for claimants to be compensated for psychological injuries even if they haven’t suffered any financial damage from a data breach. In addition, the Court in the case of Gulati & Ors V MGN Ltd (2015) held that those who suffer psychologically due to data breaches could have their claim valued in the same way as a personal injury. 

Compensation for mental damage is also called non-material damage. We are able to use the 16th edition (April 2022) of the Judicial College Guidelines to give you an idea of what you may claim for a data breach of medical conditions. 

It’s worth noting that the compensation ranges featured are estimations based on previously settled court cases and do not necessarily indicate the data breach claim amount you might receive.

Injury Compensation RangeNotes
Severe Psychiatric Damage£54,830 to £115,730All aspects of your life will be affected to some extent.
Moderately Severe Psychiatric Damage£19,070 to £54,830You may be left unable to work.
Moderate Psychiatric Damage£5,860 to £19,070Symptoms persist but the prognosis is a lot more optimistic.
Less Severe Psychiatric Damage£1,540 to £5,860The prognosis is good.
Severe Post-Traumatic Stress Disorder£59,860 to £100,670Due to the severity of your PTSD symptoms, you are unable to work.
Moderately Severe Post-Traumatic Stress Disorder£23,150 to £59,860Significant issues persist, however a slightly more optimistic prognosis is expected.
Moderate Post-Traumatic Stress Disorder£8,180 to £23,150Despite ongoing symptoms, you are likely to make a recovery.
Less Severe Post-Traumatic Stress Disorder£3,950 to £8,180You will have fully recovered within one or two years.

What Are Examples Of Material Damage?

Material damage accounts for the financial harm inflicted by your medical conditions data breach. For example, you might suffer a loss of earnings due to taking time off work to recover because of the breach. Additionally, you might suffer anxiety and therefore pay for prescriptions. You should keep hold of your wage slip and receipts or bank statements to prove your financial losses and expenses. 

Our panel of data breach solicitors could offer a more accurate estimate of what medical data breach compensation you might receive. Connect with our team to find out more using our live chat feature.

Should I Make A No Win No Fee Agreement?

The financial impact of a medical conditions data breach could leave you struggling. The idea of funding legal representation may feel out of reach for you; however, it doesn’t have to be. Our panel of data breach solicitors accepts claims on a No Win No Fee basis so that funding legal representation is accessible for everyone.

A No Win No Fee agreement may benefit you because:

  • You’ll pay no upfront solicitor’s fee
  • You’ll pay no solicitor’s fee if your claim is unsuccessful
  • If your claim is successful, you’ll pay a legally capped fee to your solicitor for their services

Ask About Medical Conditions Data Breach Claims

If you would like to check if you are eligible to work with a No Win No Fee solicitor, you should request a call back by filling out a form at the top of this page. Otherwise, you can:

Further Guidance About Medical Conditions Data Breaches

Before we let you go, you should know there is a data breach claim time limit. The timeframe for a data breach claim is six years, generally, if you’re claiming against a non-public body. If you are claiming against a public body, you could have one year to claim. 

We wanted to share some additional resources that could help you understand more about a medical conditions data breach and the claims process.

Stress – Get help with stress from the NHS.

Guide to the General Data Protection Regulation – How organisations can comply with the UK GDPR.

Other Data Breach Guides

If you would like to speak to an advisor about medical conditions data breach claims, or you feel like you are ready to take action, please get in touch with our advisors. They can provide a free, no-obligation consultation.

Writer Lewis Julius

Publisher Ruth Vernon