How To Claim For Unauthorised Access To Patient Medical Records

This guide is about claiming compensation for unauthorised access to patient medical records. We’ll look at what harm could result from access and why you could be compensated.

When you visit a GP, dentist, hospital, optician or other medical services, details of your appointment are recorded in your medical records. One of the reasons for that is so other medical professionals that treat you in the future will be aware of the treatment and any medication that you’ve had prescribed. This can help save time and prevent mistakes from being made. As the information recorded is personal and sensitive, you probably wouldn’t want it to be shared.

Patient medical records data breach compensation claims guide

Patient medical records data breach compensation claims guide

Legal Helpline is here to offer support if you wish to claim. We will review your case on a no-obligation basis and provide free legal advice. If the claim appears suitable, we may connect you to a data breach lawyer from our panel. Any case they agree to work on will be managed on a No Win No Fee basis.

If you are interested in talking about your claim today, please get in touch on 0161 696 9685. Alternatively, to learn about how the General Data Protection Regulation (GDPR)  protects access to your personal information, please read on.

Select A Section

A Guide On Claiming Compensation For Unauthorised Access To Patient Medical Records UK

As well as the GDPR, The Data Protection Act 2018 has been introduced to try and give you extra control over the ways in which your personal data is used. The idea is that organisations need to implement extra security measures to keep information safe. Furthermore, they need a lawful basis before processing any personal information. This can be gained in a number of ways. One common method is to ask for your permission to use your information after telling you why it is needed.

Unauthorised access to patient medical records could be a data breach according to the GDPR. That’s because the data found within a medical record could be used to help identify a patient. If the patient (the data subject) suffers psychological injuries or financial losses as a result of the data breach, they could seek damages to cover that suffering. 

Organisations could be fined or ordered to change their data protection processes if they are found guilty of breaking the new laws. The watchdog that could enforce action on them is the Information Commissioner’s Office (ICO). However, you will still need to take action yourself if you want to be compensated. That’s because the ICO doesn’t have any legal powers to award data breach compensation.

Claims will need to be made within the relevant time limits. Generally, you’ll have 6-years to claim from the date you obtained knowledge of the breach. However, cases centring on human rights breaches may only have 1-year.

If you would like to check how long you have to claim, ask any questions, or start your claim, why not call our specialist advisors after completing this article?

What Is Unauthorised Access To Patient Medical Records?

In terms of seeking compensation, you would need to demonstrate that because your medical records were accessed in an unauthorised manner, you have suffered psychologically, such as suffering distress or anxiety, or financially.

There are several ways that could happen. For instance, you could suffer financially if your records are accessed by criminals. If that happens, the criminal could hold you to ransom or use your personal data in identity theft crimes.

You could also claim if you’ve suffered psychological injuries because your medical data was leaked. For example, the exposure of sensitive data on your records could cause embarrassment and lead to distress, depression and anxiety.

It is important to state that the GDPR does not differentiate between digital data and physical data. For that reason, medical data breaches could involve hand-written records as well as those held on computer systems.

Some examples of how unauthorised access to your medical records could lead to a claim include:

  • If details from your medical records are sent in a letter (intended for you) to the wrong address.
  • Where staff look up information about you without a medical reason.
  • If medical records enter the public domain because they are disposed of insecurely.
  • If a laptop is stolen from a medical practice that is unencrypted and means your records are accessible.
  • Where cybercriminals use phishing emails, keyloggers, ransomware or viruses to gain access to insecure IT systems.

What’s important here is that it does not matter if the data breach is illegal, deliberate or accidental. For any type of breach where your data is exposed and you suffer damage as a result, you could be eligible to seek compensation.

To find out if you might be eligible to claim, why not get in touch today? We can review your case for free and explain your legal options.

Who Can Access Patients Medical Records?

Since 2018, access to patient medical records is governed by the GDPR. That means an individual can request access to their own records from the data controller. This could be a GP, hospital, NHS trust or whoever else is responsible for them. Importantly, since the introduction of the new laws, the data controller cannot charge you an admin fee for accessing your medical records.

Parents may be able to access records relating to their child but this will depend on their age and competency. Generally, any child over 12-years old is considered to have the capacity to decide if their records are shared.

It goes without saying that medical professionals involved in your treatment are able to access your records. Without it, mistakes could happen in your future treatment. However, if a medical professional or a member of admin staff were to access your records without any medical reason, a data breach is likely to have occurred.

How Should Medical Data Be Accessed And Correctly Processed?

Part of a data controller’s responsibilities is to ensure personal data is protected at all times. That means that measures should be taken by any individual when accessing, updating or amending records. For example, they should:

  • Not leave patient medical records open on unlocked computer screens.
  • Never discuss information about patients in reception areas or other areas where they could be overheard.
  • To not send patient records to personal email systems.
  • Return physical documentation to secured filing systems once it is no longer needed.
  • Use secure transit methods when sending physical documents to others.

If you believe your medical records have been disclosed to an unauthorised party, why not check to see if we could help you claim. Remember, the reason for the data breach doesn’t need to be deliberate, you could claim if an accidental breach has caused you harm.

Unauthorised Access And Disclosure Of Medical Records

In a memo to NHS staff, it was made clear that they should never:

  • Access the medical or personal details of colleagues, neighbours friends or family.
  • Ask a colleague to access such records for them.

The memo explained that such action could result in disciplinary action, dismissal, being fined or losing professional registration.

Several examples were listed in the memo. One related to an administrator at an NHS trust who looked at records relating to family members and children they knew. An internal audit identified that there was no business need for accessing these records. As a result, the admin assistant was prosecuted for unlawfully obtaining personal data. They were issued fines totalling over £1,600 by the court.

Can Patients Access Their Own Medical Data?

As well as the GDPR, other laws exist that provide guidance on who can access medical records. These are:

In line with this legislation, individuals can request access to, or copies of, their medical records.

Although access is allowed, there are a few scenarios where it might be limited or denied. This could be the case if there is evidence that access could result in physical or psychological suffering for that patient or another individual. That means that before a data controller hands over copies of medical data, they will probably need to make safety checks with:

  • The most suitable medical professional.
  • Somebody with the qualifications and experience to advise if a medical professional is not available.

If you suspect that your medical records have been accessed illegally and that you have suffered as a result, why not contact us today? We are happy to consider your case for free and explain your options. If your case is strong enough, we could ask a specialist lawyer from our panel to look into it. If they agree to work for you, they’ll offer you a No Win No Fee service.

Can I Look Up Someone’s Medical Records?

As we have shown, medical records contain personal, sensitive and confidential information. Therefore access to them is limited. There are times when you could access somebody else’s records though. They include:

  • If you have their consent to act on their behalf.
  • Where you have a legal power of attorney to make decisions for them.
  • Where there is another legal basis to do so.

To gain access to these records, you would need to make a Subject Access Request (SAR) to the organisation responsible for the records. Many will have special SAR forms to help with this process.

Cyber Security For NHS Patient Data

A major study into NHS data security made several recommendations. They also included 10 security standards that should be adopted. They were:

  1. Handling data in a secure way. This includes physical and digital data.
  2. Staff should understand their accountability in relation to avoidable and deliberate data breaches.
  3. Annual data safety training and testing should be completed by all staff.
  4. Any access to personal data on IT systems should be logged. Access should only be available while it is needed.
  5. Annual reviews of processes should be carried out.
  6. Immediate reviews should be carried out where a data breach occurs with management reports released within 12-hours.
  7. An action plan must be in place to prepare for data breaches.
  8. Only permitted software, internet browsers and operating systems are allowed to be used on NHS IT systems.
  9. A strategy must be in place to protect NHS IT systems. This should be reviewed at least once a year.
  10. Contracts with IT suppliers should hold them accountable for the security of any personal data that they process on behalf of the NHS.

Calculating Compensation For Unauthorised Access To Patient Medical Records In The UK

In this section, we will review how much compensation could be awarded to cover mental harm resulting from a personal data breach. Our compensation table offers some examples but you can get a more personalised estimate by speaking to our team.

An important hearing at the Court of Appeal gave guidance on data breach claims. The Court stated in Vidal-Hall and others v Google Inc [2015] that:

  • Compensation should be considered if the claimant has been harmed mentally following a data protection breach. This is the case whether money has been lost or not.
  • Settlement figures for mental harm should be paid using formulas established in personal injury law.

As a result, the figures in the table below are from the Judicial College Guidelines. This is a resource used in personal injury cases to help value different injuries.

Type Of ClaimSettlement Bracket
Severe psychiatric damage£51,460 to £108,620
Severe PTSD£56,180 to £94,470
Moderately severe psychiatric damage£17,900 to £51,460
Moderately severe PTSD£21,730 to £56,180
Moderate psychiatric damage£5,500 to £17,900
Moderate PTSD£7,680 to £21,730

You will need to demonstrate the extent of your suffering during the claim. Therefore, as part of the process, you’ll need a medical assessment. The lawyers on our panel are able to arrange a local appointment so that you won’t need to travel too far.

Your assessment will be managed by an independent specialist. To establish what injuries have been sustained and to offer a prognosis, they will refer to your medical records and ask some questions. Once they have finished, a report will be prepared and sent to your lawyer. This will be used to value your injuries and prove that the breach was the cause.

For a more specific estimate or to learn more about what you can claim for, please get in touch.

No Win No Fee Compensation Claims For Unauthorised Access To Patient Medical Records In The UK

The main concern that many people have when seeking compensation is losing money in legal fees. If you ask us to help you though, you don’t need to worry as much. That is because our panel of lawyers offer a No Win No Fee service if your case is accepted. Therefore, you could benefit from the experience of the data breach lawyers from our panel, but your financial risk will be lower.

Importantly, the merits of your claim will need to be reviewed before it is taken on. If the lawyer is happy to help you, they will supply you with a Conditional Fee Agreement (CFA). This is the formal name for a No Win No Fee agreement. This contract tells you what your solicitor will need to do if they wish to be paid. Furthermore, it will make it clear that:

  • You won’t need to pay any lawyer’s fees in advance.
  • While your claim is being processed, you won’t need to pay your lawyer for their work.
  • Should the claim fail, you won’t be liable for your lawyer’s fees whatsoever.

In cases where compensation is awarded, your lawyer will be paid a success fee. This is listed within the CFA as a fixed percentage of any settlement. That means you will know the percentage before you agree to work with the lawyer. Also, to try to prevent overcharging, No Win No Fee success fees are legally capped.

Reporting Unauthorised Access Of Healthcare And Medical Records

If want to tell the ICO about the fact that your medical records have been accessed by an unauthorised party, you will need to follow a set process first. Initially, you will need to complain to the organisation you blame for the breach. Once they reply, you will need to escalate the complaint higher if you don’t agree with the answers given.

When you have escalated as high as possible, and if three months have passed since the last communication, you might want to ask the ICO to consider your case. If they do, they will file a report following an investigation. If this confirms a breach happened, a fine could be issued or the organisation might be forced to make changes. However, please remember that this process won’t result in you receiving any compensation.

For that reason, you will need to make your own claim. To discuss how we could help you do so, please get in touch.

Talk To Our Data Breach Team

We hope that our guide on claiming for unauthorised access to medical records has been helpful. Furthermore, if you are going to claim, we hope you would like Legal Helpline to support you. If that’s the case, you can contact us by:

As we know how busy life can be, we operate our claims line 24-hours a day.

FAQs About Unauthorised Access To Medical Records

As we have almost come to the end of this guide, we are going to provide answers to some common questions about medical records access. If you have any further questions, please call our free support line today.

Who has the right to access patient health records?

As well as medical professionals involved in your treatment, you have the right to access your own medical records. In some limited cases, it may also be possible to access the records of other people as well.

What are the consequences of accessing a patient chart without reason?

If there is no medical reason for accessing a patient’s medical records, a GDPR data breach may have occurred. In one example, hospital staff were disciplined after accessing Ed Sheeran’s medical records without good reason.

Do health visitors have access to medical records?

Some health visitors linked to GP surgeries or other care services may have access to your medical records. Importantly, they should only have information that relates to your care available to them.

Where To Learn More

Thanks for visiting Legal Helpline today. We hope that this article about unauthorised access to patient medical records has helped. In this final section, we have linked to some resources that might help you further.

The General Medical Council – The regulatory body that helps to improve medical practice and protect patients.

Do I Need To Consent? – ICO advice on whether organisations need to seek your consent before using personal information.

Flashbacks – Information on what causes flashbacks which can be a symptom of PTSD.

Below you will find a few more of our articles relating to data breach claims.

Pharmaceutical Data Breaches – Advice on how to claim if you’ve suffered following a data protection breach by a pharmacy.

HMRC Breaches – This guide shows the options available if a breach involving your data happens at HMRC.

Human Resources Data Breaches – Information about claiming if your workplace HR department leaks your data.

Solicitor Lost My Medical File – If your solicitor has committed professional negligence and lost your medical records find out how to claim in this article.

Thanks for reading our guide to making a data breach claim following unauthorised access to patient medical records.

Guide by BH

Edited by REB