By Mary Scott. Last Updated 21st September 2022. NHS digital patient data is both private and sensitive and can create serious threats to people’s mental health or finances if misused. Hacking, mismanagement, and human error can all lead to your personal information falling into the wrong hands. In this guide, we explore the justifications behind making a claim following an NHS data breach.
The recent introduction of the General Data Protection Regulation (GDPR) means that organisations have a legal duty to promptly inform you if your data has been breached. In this article, we explain the steps you can take to seek appropriate compensation if you’ve been affected.
Data breaches can result in identity theft, stolen finances, and mental suffering. We explain how it’s possible to work with a data breach protection lawyer on our panel and how much compensation different forms of damage could attract. Whether you’re a victim of a data breach or your patient records were accessed in a way you did not consent to, get in touch by:
- Calling us on 0161 696 9685
- email or write to us at Legal Helpline
- use the ‘call me back option for immediate access to free legal advice
A data breach lawyer can help you regain control of who sees and accesses your private and personal details. But they can also help you win compensation for the suffering a breach on the part of another may have caused you.
Select A Section
- A Guide On NHS Data Breach Compensation Claims
- What Are NHS Data Breach Compensation Claims?
- What Is Third-Party Data Sharing Under The GDPR?
- Enforcement Action Taken By The ICO Against Healthcare Providers
- Data Breach Compensation Calculator
- Types Of Compensation Awarded To Data Breach Victims
- Could The Information Commissioners’ Office Help Me?
- No Win No Fee NHS Data Breach Compensation Claims
- How A Data Breach Protection Lawyer Could Help You
- How Victims Of An NHS Data Breach Could Start Their Claim
- Speak To A Solicitor
- NHS Data Breach FAQs
- Where To Learn More
Firstly, it goes without saying that nobody wants to sue the NHS. But if you have evidence that they misused or exposed your personal information, this article can help. Data breaches can happen in any organisation or company that has our personal information. The consequences to you can be devastating.
To tackle this, GDPR was introduced by the EU and enacted into UK law in the form of the Data Protection Act 2018. This new legislation attempts to provide far-reaching protection over who has your data, what they do with it, and why they keep it.
You may have seen or read about some high-profile data breach cases in the press where hackers and unscrupulous agencies have accessed people’s personal details illegally. GDPR was introduced to help tackle this.
If you can demonstrate that an NHS data breach directly impacted you either financially or emotionally, please get in touch with us. We offer free advice on potential data breach cases. We could even connect you with one of our specialist solicitors from our panel.
When GDPR became EU law in 2018 (ratified by the UK pre-departure from the EU) it sought to provide protection for the personal information of millions. The expansion of the internet has taken privacy laws far beyond their origins and online activity has allowed our personal details to be exposed globally at unprecedented levels.
This danger means that companies have to take responsibility for what they do with our digital and physical data and what we consent to online. Thanks to GDPR, if they fail to protect our information from abuse, we can take steps to right the wrongs done.
How is data breached?
Obviously, the NHS needs to collect, collate and retain a vast amount of highly personal and sensitive information. As an organisation at the forefront of compliance, expectations on them to manage personal data are high. So, how exactly can your information be breached by the NHS? It can be:
- Inappropriately accessed or disclosed
- Destroyed or altered in some way
- Lost or used incorrectly
- Accidentally exposed on open computer portals or websites
- Human error can expose it to cyber-crime
- Failure to correctly redact information that needs to be shared internally can be a threat
- Any personal information, medical records, or sensitive and confidential information handled inappropriately can pose a potential risk, such as failing to shred it.
It’s essential that companies invest in the correct software and staff training to avoid lapses in this privacy. Data breach claims can be brought against the NHS if you have evidence that the organisation was at fault for the breach and you went on to suffer financial or mental damage as a result.
Cyber-attacks and insufficient network security can give rise to data breaches, but problems can be caused by human error too. Its also possible that your data breach may never be discovered, but if it is, the data controller has a legal obligation to tell you.
Some specific causes of an NHS data breach could be:
- Medical records left open and viewable
- Leaving printed documents laying around
- Staff nosiness or the prying attentions of others, such as the Ed Sheeran data breach
- Postal or email errors, such as personal data being sent to the incorrect recipients
- On-screen payslips or bank information left for anyone to see
- Social media posts detailing confidential information
- Sharing medical records with unapproved parties
- Cyber-security or computer viruses
Whatever the cause, the damage can be shattering. Our advisors are on hand right now to offer advice and possibly connect you with No Win No Fee data breach solicitors from our panel who could support a claim for compensation. Whatever your reasons to believe that you have been affected by an NHS data breach, please speak to us.
Third-party data sharing happens when your personal information is either shared or accessed without your permission. This doesn’t necessarily mean that a breach has happened, however.
There are circumstances in which it’s possible for the NHS to share data without your consent. They include:
- If it is in their and your legitimate interests to share data
- If the data is shared as part of a public task
- If there is a contractual or legal obligation to share
- If it’s in your and their vital interests to share the data.
Sharing that doesn’t comply with these requirements may constitute a data breach. As long as you have evidence of a breach and can prove damage was caused, you could be awarded compensation for an NHS data breach.
GDPR and ‘LAPIS’
Article 5 of the GDPR sets out some basic requirements which you can remember with the acronym LAPIS:
L – Lawfulness. Is the information being collected fairly and transparently and in line with those laws?
A – Accuracy and Accountability – is the information correct? Is it properly updated and monitored? Has the person responsible for controlling and processing your data been properly held to account? Have they taken responsibility by informing you if there’s a problem?
P – Purpose limitation – is the information being used for the purposes expressed?
I – Integrity – is the controller of this data committed to doing the lawful and ethically correct thing with it?
S – Storage limitation – is the information being appropriately kept?
Another principle requiring compliance is data minimisation, which relates to only collecting what is absolutely necessary. In addition to this, data should only be retained for as long as required and encrypted appropriately before being shared.
Similar to personal injury claims, there are time limits to consider when seeking compensation for damages caused by a data breach. If you can prove harm caused by an NHS cyber breach you have a generous 6 years to start a claim from the date you gained knowledge of the breach. That is reduced to 1 year if your human rights were breached as well.
There is still no time like the present, however, and we recommend you get in touch with a data breach protection lawyer sooner rather than later to get your claim started.
The Information Commissioner’s Office (ICO) can look into cases of NHS information governance breaches. A powerful body designed to uphold regulations, the ICO can issue the offending health authorities with fines and penalties if they are found to be in breach of the law.
Recent high-profile cases include St. George’s Healthcare Trust which was fined £60,000 for sending a patient’s information to the wrong address. An NHS manager was fined for sending personal information to her own email address and an employee at the Heart of England NHS Trust was fined after she unlawfully accessed the personal files of 14 individuals.
NHS Data Breach – Further Real-Life Case Studies
In a real-life NHS data breach incident in 2020, the health board stated that 31 people received information from a list of 284 people receiving healthcare from NHS Highland. This included their date of birth, the name of the clinic they were attending and their contact details.
In 2019, the e-mail addresses of 37 people living in the Highlands with HIV were made public to other patients.
Statistics from the Information Commissioner’s Office (ICO) reported that in Q4 of 2021/22 there were 2,172 data security incidents reported. From these numbers, the industry with the most data security incidents was the health sector, with 427 incidents reported.
Though these may not all have been in the public health sector, you could potentially claim compensation if you were harmed by a personal data breach caused by a public or private healthcare organisation. However, there are certain criteria required to make a claim. Get in touch today to find out more.
What Is The ICO’s Standard Procedure?
The ICO follow a set procedure in most cases which is as follows:
- Firstly, you are required to demonstrate proof that your information has been misused. The NHS is legally obliged to inform you within 72 hours if there has been a data breach that involves you. They can do this in writing or by email.
- If you heard in the press about a data breach that you believe may implicate you, you can request information from the NHS about it.
- At the point of discovery, you can ask for compensation directly from the healthcare providers involved. Sometimes this is a quicker and preferable solution for you and you’re perfectly at liberty to discuss it with them. However, you may miss out on certain aspects of a claim without specialist knowledge.
- If after no longer than a 3 month period you have had no communication at all from the NHS about the breach, you can formally request the ICO to step in. At this point, it can be a good idea to secure the services of a No Win No Fee lawyer acting on your behalf to obtain data breach compensation if they can.
ICO Penalties for data breach
There are two types of monetary penalties that can be imposed against the data controller or the people who collect and process data on their behalf. ICO fines are divided into two types:
Higher Maximum – this can be as much as £17.5 million or 4% of the total annual turnover in the preceding year (whichever is higher)
Standard Maximum – which can be as much as £8.7 million or 2% of the annual preceding year’s turnover.
Intended to be dissuasive, these penalties are meant as a warning to companies to take data protection seriously and ensure their staff are properly trained in the correct procedure.
If you can prove that you’ve suffered financial or mental damage as a result of an NHS data breach, could be owed compensation; get in touch to learn more.
You may want more information about the compensation you could receive from data breach claims. You should know that you can claim under two heads. One of these is non-material damages, which relate to the psychological injuries that you’ve sustained due to the data breach. For example, you could suffer from anxiety or depression because your personal data has been exposed.
To potentially receive distress compensation for a data breach, you would need to show that you were harmed by a personal data breach caused by positive wrongful conduct on behalf of the company that held your data.
Furthermore, due to the ruling in the case of Vidal-Hall and Others v Google Inc , you can now claim for non-material damages without having to also claim for material damages due to the data breach.
While we can’t provide you with set data breach compensation amounts from the UK, the figures in the Judicial College Guidelines, last updated in 2022, can still give you a better idea of your potential compensation amount. The information has been taken from previous successful court cases in Wales and England.
|Type of injury||Possible award|
|Severe psychological damage||£54,830 to £115,730|
|Moderate psychological damage||£5,860 to £19,070|
|Less severe psychological damage||£1,540 to £5,860|
|Severe PTSD (Post-traumatic stress disorder)||£59,860 to £100,670|
|Moderately severe PTSD (Post-traumatic stress disorder)||£23,150 to £59,860|
|Moderate PTSD (Post-traumatic stress disorder)||£8,180 to £23,150|
|Less severe PTSD (Post-traumatic stress disorder)||£3,950 to £8,180|
If you would like to know more about data breach claims or want to see if you can claim, contact us for free using the above details at a time that suits you.
There are two types of compensation that could be possible in data breach cases.
This refers to the actual, physical loss or damage to your finances caused by an intentional or unintentional release of data about you. Your credit rating score, your passwords, bank account details, medical records, and personal or professional connections can all have a monetary impact if exploited by criminals.
A breach of medical records could easily lead to an emptied bank account in the hands of hackers who have a vested interest in finding those lucrative connections. Material damages are worked out by using a paper trail of tangible loss to arrive at a compensation figure.
Non-material losses relate to the psychiatric harm and emotional distress caused by being the victim of a data breach. Evidence is taken from medical assessments. They can prove that the anxiety, anguish, or stress entailed in being the victim of digital exploitation caused you real suffering.
NHS data breach consequences can be particularly painful as they can concern very personal matters about patients’ health. Precisely the kind of details you would not want in the public realm.
A No Win No Fee lawyer could accurately calculate potential settlement amounts for both these types of impact and argue for compensation on your behalf.
As internet use continues to touch upon every aspect of modern daily life it’s essential that we have some form of protection against unscrupulous operators and abuses of trust. Whatever the circumstances surrounding your NHS data breach, whether it was accidental or deliberate, it is recognised by the GDPR now that you should not suffer unfairly because of it.
You can approach the ICO within a three-month period if you believe yourself to be a data breach victim and have heard nothing from the organisation responsible. They can look at your complaint and investigate it. In addition to this, you can speak to our advisors about connecting with a specialist data breach solicitor from our panel.
With the experience and insight of evaluating damages fully on your behalf, the lawyer could take up your case at no initial cost to you whatsoever. Able to give your case the full attention it deserves, it could be possible to recover compensation from the company that breached your privacy and violated your trust.
Tackling a huge organisation like the NHS may seem overwhelming. To reflect this, No Win No Fee services can enable you to access the compensation you deserve at a reduced financial risk to you. Call our helpline now and chat over your concerns to assess how viable your claim is.
If we can help, you could benefit from a No Win No Fee service which means:
- There are no fees to pay upfront
- Nothing to pay as the case goes ahead
- If your case fails, there are no fees to pay your lawyer at all
Cases that are successful mean that you only pay a small and restricted percentage of the final compensation amount. This is a fee to pay for your lawyers work on your behalf.
With this financial flexibility and the support of a skilled solicitor handling your data breach claim, you can feel much more confident about addressing this injustice.
Searching for the right data breach protection lawyer online can feel like hard work. Reviews offer some insight into how well a company might handle your claim. But, it can feel very hit or miss. Likewise, some sites offer instant compensation amounts that take a few key points about your case and construct a figure based on that. This also can be very vague and miss the potentially greater damages if calculated properly.
At Legal Helpline we speak to our clients in person to discover the full extent of what happened. We can help you assemble all the appropriate evidence to construct a solid claim for data breach compensation. Their expertise could boost the final amount.
The NHS is legally required to contact you within 72 hours to inform you of any data breach that might affect you. You should reach out to them for clarification if you’ve not heard anything. Sometimes they fail to respond. If you have trouble receiving any answers to your attempts to make contact, a lawyer can help.
We can help too. When you speak to our team, we can help assess your eligibility and your cases’ chance of success. If it looks promising, it can then be taken up by our specialist data breach protection solicitors on our panel. They could construct a case for damages on your behalf. All you need to do to start your claim is get in touch.
Act now. Data breaches are happening more and more and it’s essential that you take steps to rectify a breach that has caused you harm. With a No Win No Fee solicitor from our panel working on your behalf there’s nothing to stop you from starting your claim today. You can:
- Calling us on 0161 696 9685
- email or write to us at Legal Helpline
- use the ‘call me back option for immediate access to free legal advice
In this section, we’ve answered some common questions when it comes to data breach claims.
How do I report an NHS data breach?
You should first speak to the NHS. If you fail to receive any response, you can contact the ICO within a three-month period. After that, your complaint may not be considered.
What are the consequences of a data breach?
You could suffer anything from mild distress to identity theft.
Can I get compensation for a data breach?
Yes, the table above demonstrates how the JCG recommends awards for mental suffering and how with evidence, the people who are liable for your breach could be responsible for your financial losses.
How long do I have to claim?
The time frame to claim is 6 years in normal cases or 1 year where human rights violations were involved in the data breach.
How long could a data breach claim take?
Claims can be settled within around a year if the claim is straightforward and isn’t disputed by the defendant.
What if the claimant is under the age of 18?
In instances that involve a minor or someone unable to represent themselves, a family member or guardian can act as a ‘litigation friend’ and undertake the role on their behalf.
Do I need to go to court?
Not necessarily. When you use the services of a lawyer remotely, most of the communication can happen through email, therefore your case can happen remotely. It’s important to note that you may need to go to court and obviously, be prepared for this. But most claims never make it that far.
NHS data protection breaches could cause much suffering such as acute anguish and fear. In view of this, for advice about coping with PTSD or depression caused by having your personal details exposed, please refer here. This guide from Victim Support on Identity Fraud may also be useful.
We also have some other guides you may find useful, including:
- Our guide to GDPR Data Breach Compensation Claims
- Medical Data Breach Claims
- Pharmacy Data Breach Claims
Thank you for reading our guide on what to do if you fall victim to an NHS data breach.
Guide by JJW
Edited by REB