NHS Data Breach Compensation Claims

This guide considers what you could do following an NHS data breach.

Whether you work for the NHS, or you are a patient, it is likely that they would have some of your personal data. If your personal information, which includes health information, is exposed in a data breach, you could be eligible to claim if you suffer as a consequence.

NHS data breach

NHS data breach

You could receive compensation for the financial losses and the emotional harm a data breach causes. However, there are certain criteria that your claim would have to fulfil to be successful.

This guide has been created to offer you useful information relating to data breach compensation claims. In the sections below, we answer questions about the role of the Information Commissioner’s Office (ICO) when it comes to information governance.

Further to this, we explain the laws that protect the privacy and security of your personal data. We offer information on the potential data breach consequences you could face and guidance on claiming compensation for damages.

Finally, we offer guidance on No Win No Fee data breach claims, and how our panel of solicitors could assist you. For case-specific guidance and support, you can contact our advisors at any time. You can reach us on 0800 408 7825.

Select A Section

  1. NHS Data Breach Claims Explained
  2. What Is An NHS Data Breach?
  3. How Does Data Get Breached?
  4. What Damages Could You Claim For A Data Breach?
  5. NHS Data Breach Compensation Amounts
  6. No Win No Fee Claims For A Data Breach
  7. Contact Us About A NHS Data Breach
  8. Where Can I Find Out More?

NHS Data Breach Claims Explained

When it comes to patient data and staff data, the NHS has a legal responsibility to keep personal information secure.

Under the UK General Data Protection Regulation (UK GDPR), data controllers and data processors have legal responsibilities to ensure robust information governance.

Data controllers are organisations that decide how and why your personal information will be used. Data processors are separate organisations that data controllers sometimes use to process personal data on their behalf.

Personal information (or personal data) is any data that can be used to identify you directly or in combination with other data. For example, your name and address are examples of personal information.

In the UK, the Data Protection Act 2018 (DPA) sits alongside the UK GDPR.

Data protection legislation gives data subjects certain rights when it comes to their personal data. In addition, it puts legal responsibilities on data controllers. (Data subjects are those whose personal information is processed: patients or employees, for example.)

The application of the UK GDPR means that all organisations should actively work to protect patient data and staff data from being compromised. This includes the NHS. However, sometimes things do not go according to plan.

How This Guide Could Help

This guide explains how data subjects whose personal data has been exposed, causing them financial and/or psychological damage, could claim compensation.

The sections below explain how data breaches could occur, the potential consequences, and how much compensation could be achievable. Further to this, we offer some examples of NHS data breaches and some statistics relating to them.

Finally, we offer insight into how we could help you begin a claim for compensation under a No Win No Fee agreement if you have evidence of a valid claim.

How Many People Are Affected By NHS Data Breaches? 

A report in The Independent newspaper covered this. It revealed that in one incident, a woman had visitors to her front door that explained her personal medical details had been sent to other people.

Source: https://www.independent.co.uk/news/health/data-nhs-patient-breaches-privacy-b1877154.html

The Information Commissioner’s Office (ICO) is the body responsible for enforcing data protection law in the UK. It publishes data breach statistics quarterly, and according to the Q2 2021/22 report, the sector with the highest number of breaches during this period was the health sector. You can see how this compares with other sectors below.

NHS data breach statistics graph

What Is An NHS Data Breach?

If a data breach exposes your personal data, which leads to financial and/or emotional damage, you could claim compensation for it. To make a valid data breach compensation claim, you would also need to prove that there was positive wrongful conduct on the data controller or processor’s part and that the breach exposed your personal information and caused you harm.

But what is a data breach and how could it happen? Simply put, a data breach is any data security incident that leads to the unauthorised or unlawful access to, disclosure of, alteration of, loss of or destruction of personal information.

In terms of NHS data, this could include personal information such as your name, address or email address. Or, it could include sensitive medical information held in your medical records. This could include details of any medical conditions you have, and the treatment you are taking, for example.

A data breach could relate to personal data held on apps or health and social care data held in filing cabinets, for example. It could include digital data or physical data.

Data breach consequences could mean you become the victim of financial theft. Alternatively, the exposure of your personal data could lead you to suffer data breach distress, anxiety and other psychological injuries.

Under the UK GDPR, you could claim compensation for both non-material (emotional) and material (financial) damages caused to you. You would need to be able to prove that the other party acted wrongfully or negligently in regard to your data protection. This would need to cause the exposure of your data.

If you have evidence that your personal data was involved in an NHS data breach, you suffered as a result and the breach was caused by positive wrongful conduct, why not reach out to us?

How Does Data Get Breached?

When you first think about how a data breach could occur, you may instantly consider cybercrime. It is true that cybercriminals could hack into digital systems using malware, for example. However, one of the biggest causes of data breaches in the health sector is data being emailed to the wrong person. Other ways in which data breaches could occur could be:

  • Poor information governance – If robust data protection factors, such as a security protection toolkit, two-factor authentication for sensitive data and a robust training programme, are not implemented properly, this could lead to breaches.
  • Human errorFailure to BCC people into an email and using CC instead, sending letters to the wrong postal address despite having the correct one on file, and failing to redact personal information could lead to data breach.
  • Loss or theft of devices containing data – If someone leaves a laptop or USB on a train, for example, and it contains unsecured personal information this could cause a data breach.

As we have mentioned, to make a successful claim, you would need to prove that the data controller or processor had acted negligently or wrongfully in respect of your data privacy and security. You would need to be able to evidence that your personal data had been exposed in a breach as a consequence, and that it harmed you financially or emotionally.

What Damages Could You Claim For A Data Breach?

Under the UK GDPR, you could claim for both non-material and material damages, or either. If you are not sure what these are, we explain below:

  • Material damages could include monies taken from you because of the data breach, or other financial losses caused. This can include the costs associated with restoring damaged credit files, for example.
  • Non-material damages are harder to quantify. They could include compensation for loss of privacy, and psychological injuries such as distress, stress and lack of sleep.

A case from 2015, Vidal-Hall and others v Google Inc [2015] set a precedent that means you could receive compensation for psychological injuries caused by exposure of your personal data, even if you haven’t also suffered financial loss. So, now, you could claim for both material damages and non-material damages or either. 

NHS Data Breach Compensation Amounts

To claim for any non-material or material damages, you would need to evidence them. Evidencing financial impacts of data breaches could be relatively simple. You would simply need to evidence any costs or losses you’d experienced by way of bank statements, bills and receipts, for example.

Evidencing non-material damages would involve independent medical evidence as to the nature and severity of your psychological injury. An independent medical professional would, as part of the claims process, check your injuries and any relevant medical records. They’d then create a report that aims to:

  1. Assess whether your injuries were caused or exacerbated by the data breach.
  2. Establish the severity of the injuries.

How Much Can You Claim For A Data Breach?

As we mentioned, the compensation you could receive for psychological injuries would depend on the level of severity of your injury. Data breach solicitors could measure the independent medical report against the Judicial College Guidelines to come to an appropriate settlement amount.

The Judicial College Guidelines is a publication that lists varying injuries and their severities alongside potential compensation brackets. The table below gives figures from it. It could act as an alternative to a personal injury claims calculator.

InjurySeverityGuide to compensation Bracket
PTSD/Post-Traumatic Stress DisorderLess severeUp to £7,680
PTSD/Post-Traumatic Stress DisorderModerate£7,680 to £21,730
PTSD/Post-Traumatic Stress DisorderModerately severe£21,730 to £56,180
PTSD/Post-Traumatic Stress DisorderSevere£56,180 to £94,470
General psychological injuryLess severeUp to £5,500
General psychological injuryModerate£5,500 to £17,900
General psychological injuryModerately severe£17,900 to £51,460
General psychological injurySevere£51,460 to £108,620

If you can’t see your injuries in the compensation table above, get in touch. Our advisors can value claims for free.

This guide on what steps you could take after an NHS data breach aims to help you. However, if you have unanswered questions, reach out to us.

No Win No Fee Claims For A Data Breach

Are you worried about the cost of utilising the services of a data breach solicitor for a data breach claim? If so, you might want to claim under a No Win No Fee agreement.

Many claimants believe, and we believe too, that having legal support on their side could give you a better chance of success when making data breach claims. A data breach solicitor could put together a strong case on your behalf. They could also negotiate for the maximum compensation possible for your claim.

By making a No Win No Fee claim, you can use such legal services with confidence that you won’t have to pay for the solicitor’s work unless they achieve compensation for you.

Could I Make A No Win No Fee Claim?

Prior to starting a No Win No Fee claim, your solicitor will need to ascertain whether:

  • There is enough evidence to prove a data breach occurred and that it involved your personal data.
  • They’d also need to prove it happened because the defendant did something wrong or did not do something they were supposed to.
  • They would also need to ensure they could prove you suffered physically or financially because of the breach.

Further to this, they would need to check the time limits to ensure that your claim falls within the correct limitation period. For claims against public bodies, you would usually have one year in which to claim. However, for other data breach claims, you may have six years.

How Does It Work?

If a data breach solicitor says they will take on your claim on a No Win No Fee basis, they will send you a Conditional Fee Agreement. This is a contract that you may also hear referred to as a No Win No Fee agreement. It sets out the terms and conditions that your case must meet for you to pay the success fee to your solicitor.

The success fee is a small percentage of your compensation payout. It is also subject to a legal cap. When you sign the agreement the lawyer will be able to begin your claim. You will pay them out of your compensation payout only after it comes through.

Should your claim not result in compensation, you won’t cover the solicitor’s fees at all.

If you’d like to ask us anything else about No Win No Fee claims, please do not hesitate to contact our advisors. We could check whether your case meets the criteria to make a claim under a No Win No Fee agreement.

Contact Us About A NHS Data Breach

Do you have evidence of a data breach claim? Perhaps you have questions about how much compensation you could receive or whether you could be eligible to claim. Whatever your position, please contact our advisors and we will give you the advice and support you seek.

You can contact us in a variety of ways:

  • By calling our helpline 0800 408 7825
  • Using the live chat to connect with an advisor
  • Completing the contact form to receive a callback

Where Can I Find Out More?

We’ve come to the end of this article about what you could do following an NHS data breach. Why not use the helpful sources below?

Lost Or Stolen Device Data Breach: The loss/theft of devices containing personal data could constitute a data breach.

Wrong E-mail Address Breach: Find guidance if you’ve been harmed by an email address breach here.

Data Breach Compensation Guidance: Our definitive guide to data breach compensation.

Guidance On Your Data: The ICO provides guidance relating to your data rights.

Data Protection gov.uk: Data Protection Act guidance can be found here.

The UK GDPR: You can find guidance on GDPR here.

Article by OE

Publisher UI