Can You Claim Breach of Confidentiality NHS Compensation?

Breaches of confidentiality in the NHS occur when the personal data of patients is accessed or mishandled by an NHS organisation. Patients entrust the NHS with highly sensitive information about themselves which is often attached to personally identifiable information about themselves, including their name, date of birth and home address. 

When this information is lost or improperly handled, patients’ wellbeing and livelihoods are put at risk. If your personal data has been breached by the NHS then you may be able to claim compensation for damages.

If you’ve been affected by a breach, or have had your data leaked by the NHS, get in touch for a FREE consultation.

Get In Touch

What is breach of confidentiality?

A breach of confidentiality occurs in the NHS when personal data concerning a patient is accessed or shared without authorisation, or lost altogether.

The General Data Protection Regulations (GDPR) and Data Protection Act 2018 ushered in a new era of personal data protection and rights for individuals. Before these came into effect, medical professionals were still held accountable for breaches of confidentiality. However, the advent of these data protection laws has meant that NHS organisations that manage patients’ data are under greater scrutiny than ever, and for good reason.

The GDPR holds the NHS accountable for how they handle patient data across the entire patient journey. Patients are required to entrust the NHS with their own personal data in order to gain access to healthcare services. They do so on the proviso that this data will be stored securely and that it will not be accessed or shared unless absolutely necessary.

The GDPR details a number of principles that outline how organisations should handle personal data, these include:

  • Fair, lawful and transparent processing of data.
  • The data subject must be told of the legitimate purpose behind why their data is being processed.
  • Only the minimum amount of data should be collected to meet the specifications for collection.
  • Personal data should be accurate and up to date.
  • Any data should only be retained for as long as required or as is specified at the time of collection.
  • Data processing should be done securely and confidentially. For example, data might need to be encrypted.
  • A data controller (those holding data) must be able to demonstrate compliance with the above principles.

What is an NHS data breach?

NHS data breaches occur whenever data is mishandled in contradiction to the GDPR by an NHS organisation, such as:

  • A private healthcare organisation providing NHS services
  • Opticians
  • Pharmacies
  • Dentists
  • NHS hospitals
  • NHS trusts
  • GP Surgeries

Cyber-attacks or sub-par security systems can lead to large-scale data breaches, however breaches are more commonly caused by human error.

How can the NHS breach your data?

Common examples of data breaches occurring within the NHS include:

  • NHS staff accessing your medical records without a professional reason to do so.
  • Personal data being posted or emailed to the incorrect recipient.
  • Printed documents containing personal data being lost or left unattended in public spaces.
  • Medical records of patients being shared with an unauthorised 3rd party organisation.
  • Medical records being amended or changed with incorrect information, resulting in a delay in treatment.
  • Letters containing personal data being sent to the wrong address.

If you’ve been affected by a breach, or have had your data leaked by the NHS, get in touch for a FREE consultation.

Get In Touch

How often do NHS breaches of confidentiality take place?

Breaches of confidentiality in the NHS are much more common than you may think, with over 3,500 data breaches being reported to the ICO in the last two years alone. This number likely just represents a fraction of the total breaches that have taken place, as many more will go unnoticed and unreported by those affected.

According to figures compiled by the ICO, there were more data breaches reported in the health sector compared to any other sector in the first quarter of 2021. During this time there were 607 breaches reported, including:

  • 67 alterations of personal data,
  • 112 incidents of paperwork loss or data left in insecure locations,
  • 65 incidents of unauthorised (non-cyber) access,
  • 126 unspecified non-cyber incidents

What major NHS breaches have there been?

May 2016

Chelsea and Westminster Hospital NHS Foundation Trust was fined £180,000 by the ICO after a sexual health clinic, 56 Dean Street, leaked the details of almost 800 patients who had attended HIV clinics. The clinic sent out a mass email and failed to blind copy its recipients, resulting in all 781 recipients being able to see each other’s email addresses, 730 of which contained the recipients’ full names.

February 2018

A coding error resulted in a data breach that affected 150,000 patients in England who had requested that their confidential health records only be used to provide them with care. The SystmOne application used by GPs failed to pass on this request to NHS England’s IT provider, which resulted in medical records being shared for research and auditing purposes.

September 2019

Over 2,000 patients were involved in a data breach by the Wrightington, Wigan and Leigh NHS Foundation Trust. The personal information breached included documents related to blood results, discharge letters and medication and is thought to have taken place over an 18-month period. Letters sent to affected patients stated that their information was accessed by ‘one or more members of our staff who did not have a legitimate reason to have access to that information’.

September 2019

The Charing Cross Gender Identity Clinic was found to have exposed the details of nearly 2,000 people over the course of two mass emails sent to roughly 900 people each. This resulted in all recipients of the message being able to see the emails of other recipients. Those affected risked their personal data being shared within their community and potentially being outed as being trans to their friends or families.

September 2020

Public Health Wales revealed that the personal information of over 18,000 people who had tested positive for coronavirus has been accidentally uploaded. The information was uploaded to a public server as a result of human error and included the initials, date of birth, geographic area and gender of 16,179 people. 1,926 people were affected by the security event to a lesser extent, revealing that they shared a postcode with a nursing home or similar supported setting.

What happens if your confidentiality is breached by the NHS?

If your confidentiality has been breached by the NHS, or you think that your data has been breached in any other way, then you may be entitled to claim compensation for damages caused.

Our process for claiming data breach compensation

Free NHS Data Breach Consultation

You send us a message, or give us a call and tell us about how you’ve been affected by a data protection breach. We’ll ask you some questions and let you know whether or not we can assist you in making a claim.

Signing The Conditional Fee Agreement

If we believe that you have a strong case, then we’ll offer you our services. You’ll read and sign our CFA, and then we’ll be able to get to work investigating your claim.

Contacting The Defendant

We’ll get in touch with the business or organisation that has breached your data. Our team will deal with all these communications, and get in touch if they need any more information from you.

Talking To The Information Commissioner’s Office

We’ll find out if the organisation has reported the data breach (they’re legally required to).

Claiming Your Compensation

Once we have all the facts, we’ll be able to move your claim forward and try to win your compensation.

What can I claim for an NHS data breach?

Compensation claims against the NHS for data breaches or breaches of confidentiality can be broadly divided between two categories: material damage or non-material damage.

Material damage includes any financial losses that you may have incurred as a result of the breach. For example, you may have lost money as a result of your identity being stolen after an NHS trust breached your personal information.

Non-material damage accounts for any emotional or psychological damage caused by the breach of confidentiality or data breach. In some cases, a data breach could exacerbate pre-existing health conditions which can cause further distress. For example, medical records pertaining to your healthcare could be lost, resulting in a delay to your care.

How much compensation can I claim for NHS breach of confidentiality?

The amount of compensation that you can claim for an NHS breach of confidentiality will depend on the nature of your breach and the extent of the damages caused.

Data breach compensation amounts have varied between £1,000 up to £25,000 over the years, with the biggest compensation awarded to those whose private information has been made public knowledge.

If you’ve been affected by a breach, or have had your data leaked by the NHS, get in touch for a FREE consultation.

Get In Touch


Data Breach Compensation Amounts – Data Breach Help

Advice for claimants – NHS Resolution

Data security incident trends – ICO

NHS trust fined for 56 Dean Street HIV status leak – BBC News

NHS data breach affects 150,000 patients in England – BBC News

NHS investigation after personal medical information on thousands of Greater Manchester patients looked at – Manchester Evening News

Gender identity clinic leaks patient email addresses – BBC News

Public Health Wales Statement on Data Breach – Public Health Wales