By Cat Mulligan. Last Updated 15th August 2023. This guide considers what you could do following an NHS data breach.
Whether you work for the NHS, or you are a patient, it is likely that they would have some of your personal data. If your personal information, which includes health information, is exposed in a data breach, you could be eligible to claim if you suffer as a consequence.
You could receive compensation for the financial losses and the emotional harm a data breach causes. However, there are certain criteria that your claim would have to fulfil to be successful.
This guide has been created to offer you useful information relating to data breach compensation claims. In the sections below, we answer questions about the role of the Information Commissioner’s Office (ICO) when it comes to information governance.
Further to this, we explain the laws that protect the privacy and security of your personal data. We offer information on the potential data breach consequences you could face and guidance on claiming compensation for damages.
Finally, we offer guidance on No Win No Fee data breach claims, and how our panel of solicitors could assist you. For case-specific guidance and support, you can contact our advisors at any time. You can reach us on 0800 408 7825.
Select A Section
- NHS Data Breach Claims Explained
- What Is An NHS Data Breach?
- How Does Data Get Breached?
- What Damages Could You Claim For A Data Breach?
- NHS Data Breach Compensation Amounts
- No Win No Fee Claims For A Data Breach
- Contact Us About A NHS Data Breach
- Where Can I Find Out More?
When it comes to patient data and staff data, the NHS has a legal responsibility to keep personal information secure.
Under the UK General Data Protection Regulation (UK GDPR), data controllers and data processors have legal responsibilities to ensure robust information governance.
Data controllers are organisations that decide how and why your personal information will be used. Data processors are separate organisations that data controllers sometimes use to process personal data on their behalf.
Personal information (or personal data) is any data that can be used to identify you directly or in combination with other data. For example, your name and address are examples of personal information.
In the UK, the Data Protection Act 2018 (DPA) sits alongside the UK GDPR.
Data protection legislation gives data subjects certain rights when it comes to their personal data. In addition, it puts legal responsibilities on data controllers. (Data subjects are those whose personal information is processed: patients or employees, for example.)
The application of the UK GDPR means that all organisations should actively work to protect patient data and staff data from being compromised. This includes the NHS. However, sometimes things do not go according to plan.
How This Guide Could Help
This guide explains how data subjects whose personal data has been exposed, causing them financial and/or psychological damage, could claim compensation.
The sections below explain how data breaches could occur, the potential consequences, and how much compensation could be achievable. Further to this, we offer some examples of NHS data breaches and some statistics relating to them.
Finally, we offer insight into how we could help you begin a claim for compensation under a No Win No Fee agreement if you have evidence of a valid claim.
How Many People Are Affected By NHS Data Breaches?
A report in The Independent newspaper covered this. It revealed that in one incident, a woman had visitors to her front door that explained her personal medical details had been sent to other people.
The Information Commissioner’s Office (ICO) is the body responsible for enforcing data protection law in the UK. It publishes data breach statistics quarterly, and according to the Q2 2021/22 report, the sector with the highest number of breaches during this period was the health sector. You can see how this compares with other sectors below.
If a data breach exposes your personal data, which leads to financial and/or emotional damage, you could claim compensation for it. To make a valid data breach compensation claim, you would also need to prove that there was positive wrongful conduct on the data controller or processor’s part and that the breach exposed your personal information and caused you harm.
But what is a data breach and how could it happen? Simply put, a data breach is any data security incident that leads to the unauthorised or unlawful access to, disclosure of, alteration of, loss of or destruction of personal information.
In terms of NHS data, this could include personal information such as your name, address or email address. Or, it could include sensitive medical information held in your medical records. This could include details of any medical conditions you have, and the treatment you are taking, for example.
A data breach could relate to personal data held on apps or health and social care data held in filing cabinets, for example. It could include digital data or physical data.
Data breach consequences could mean you become the victim of financial theft. Alternatively, the exposure of your personal data could lead you to suffer data breach distress, anxiety and other psychological injuries.
Under the UK GDPR, you could claim compensation for both non-material (emotional) and material (financial) damages caused to you. You would need to be able to prove that the other party acted wrongfully or negligently in regard to your data protection. This would need to cause the exposure of your data.
If you have evidence that your personal data was involved in an NHS data breach, you suffered as a result and the breach was caused by positive wrongful conduct, why not reach out to us?
When you first think about how a data breach could occur, you may instantly consider cybercrime. It is true that cybercriminals could hack into digital systems using malware, for example. However, one of the biggest causes of data breaches in the health sector is data being emailed to the wrong person. Other ways in which data breaches could occur could be:
- Poor information governance – If robust data protection factors, such as a security protection toolkit, two-factor authentication for sensitive data and a robust training programme, are not implemented properly, this could lead to breaches.
- Human error – Failure to BCC people into an email and using CC instead, sending letters to the wrong postal address despite having the correct one on file, and failing to redact personal information could lead to data breach.
- Loss or theft of devices containing data – If someone leaves a laptop or USB on a train, for example, and it contains unsecured personal information this could cause a data breach.
As we have mentioned, to make a successful claim, you would need to prove that the data controller or processor had acted negligently or wrongfully in respect of your data privacy and security. You would need to be able to evidence that your personal data had been exposed in a breach as a consequence, and that it harmed you financially or emotionally.
Under the UK GDPR, you could claim for both non-material and material damages, or either. If you are not sure what these are, we explain below:
- Material damages could include monies taken from you because of the data breach, or other financial losses caused. This can include the costs associated with restoring damaged credit files, for example.
- Non-material damages are harder to quantify. They could include compensation for loss of privacy, and psychological injuries such as distress, stress and lack of sleep.
A case from 2015, Vidal-Hall and others v Google Inc  set a precedent that means you could receive compensation for psychological injuries caused by exposure of your personal data, even if you haven’t also suffered financial loss. So, now, you could claim for both material damages and non-material damages or either.
To claim for any non-material or material damages, you would need to evidence them. Evidencing financial impacts of data breaches could be relatively simple. You would simply need to evidence any costs or losses you’d experienced by way of bank statements, bills and receipts, for example.
Evidencing non-material damages would involve independent medical evidence as to the nature and severity of your psychological injury. An independent medical professional would, as part of the claims process, check your injuries and any relevant medical records. They’d then create a report that aims to:
- Assess whether your injuries were caused or exacerbated by the data breach.
- Establish the severity of the injuries.
How Much Can You Claim For A Data Breach?
As we mentioned, the compensation you could receive for psychological injuries would depend on the level of severity of your injury. Data breach solicitors could measure the independent medical report against the Judicial College Guidelines to come to an appropriate settlement amount.
The Judicial College Guidelines is a publication that lists varying injuries and their severities alongside potential compensation brackets. The table below gives figures from it. It could act as an alternative to a personal injury claims calculator.
|Injury||Severity||Guide to compensation Bracket|
|PTSD/Post-Traumatic Stress Disorder||Less severe||Up to £7,680|
|PTSD/Post-Traumatic Stress Disorder||Moderate||£7,680 to £21,730|
|PTSD/Post-Traumatic Stress Disorder||Moderately severe||£21,730 to £56,180|
|PTSD/Post-Traumatic Stress Disorder||Severe||£56,180 to £94,470|
|General psychological injury||Less severe||Up to £5,500|
|General psychological injury||Moderate||£5,500 to £17,900|
|General psychological injury||Moderately severe||£17,900 to £51,460|
|General psychological injury||Severe||£51,460 to £108,620|
If you can’t see your injuries in the compensation table above, get in touch. Our advisors can value claims for free.
This guide on what steps you could take after an NHS data breach aims to help you. However, if you have unanswered questions, reach out to us.
If you are eligible to start a personal data breach claim, a solicitor from our panel could help. With years of experience in data breach claims, working with a solicitor could help the process seem less daunting. A solicitor can help you support your claim by gathering evidence and arranging an independent medical assessment and can offer further support surrounding your potential medical data breach compensation amount.
Should you choose to work with a solicitor from our panel, they may offer you a Conditional Fee Agreement (CFA). This is a type of No Win No Fee arrangement that allows you to access their services for no upfront or ongoing fees. There are also no fees to pay for their work if your claim doesn’t succeed.
If your claim is successful, then your solicitor will take a success fee from your compensation. They take this as a small percentage, though there is a legal cap in place which helps ensure that the majority of what you receive stays with you.
We hope our guide has given you some insight into the potential steps you could take should you be affected by an NHS data breach. Compensation for data breach claims can vary widely and very much depend on your individual circumstances. To find out more, or to see if you could be eligible to work with one of the solicitors on our panel, you can get in touch with our advisors by:
Do you have evidence of a data breach claim? Perhaps you have questions about how much compensation you could receive or whether you could be eligible to claim. Whatever your position, please contact our advisors and we will give you the advice and support you seek.
You can contact us in a variety of ways:
- By calling our helpline 0800 408 7825
- Using the live chat to connect with an advisor
- Completing the contact form to receive a callback
We’ve come to the end of this article about what you could do following an NHS data breach. Why not use the helpful sources below?
Lost Or Stolen Device Data Breach: The loss/theft of devices containing personal data could constitute a data breach.
Wrong E-mail Address Breach: Find guidance if you’ve been harmed by an email address breach here.
Data Breach Compensation Guidance: Our definitive guide to data breach compensation.
Guidance On Your Data: The ICO provides guidance relating to your data rights.
Data Protection gov.uk: Data Protection Act guidance can be found here.
The UK GDPR: You can find guidance on GDPR here.
Article by OE