Superdrug Pharmacy GDPR Data Breach Compensation Claims Guide – How To Claim?

My Data Privacy Was Breached By Superdrug Pharmacy, Could I Claim Compensation?

In this article, we are going to look at what could cause a personal data breach by a Superdrug pharmacy to occur. We will also review what harm could result from one and the evidence required to successfully claim compensation for the damage that results.

Pharmacies have a very important role to play in healthcare. We are very lucky in the UK that medication is freely available and accessible when we need it. To make the service work, pharmacies need to process some personal, and sometimes sensitive, information about their customers. Therefore, keeping that data safe is a priority, especially since the General Data Protection Regulation (or the GDPR) was introduced.

Superdrug Pharmacy data breach compensation claims guideLegal Helpline is able to support you if you would like free legal advice and support. We offer a no-obligation telephone consultation where we will review the merits of your claim with you. You will be given free advice on your options and we’ll explain what steps to take next.

If there is a chance your claim could be won, we can connect you with a specialist data breach solicitor from our panel. Any case that is accepted will be managed on a No Win No Fee basis.

To find out more about how we could help you, please call today on 0161 696 9685. If you would like to learn more about why Superdrug data breaches might lead to a claim, please read on.

Select A Section

A Guide On Claims For A Data Breach By A Superdrug Pharmacy

Along with The Data Protection Act 2018, the GDPR gives you (the data subject) more say about how your personal information is used. The strengthening of data protection rules now means organisations (data controllers) need a lawful reason to process information. In many cases, that means you will be told why information about you is required and you may need to give your permission too.

Importantly, data controllers now have a legal duty to implement processes and procedures to try and keep your data secure. If they don’t, and a breach of personal data occurs, the Information Commissioner’s Office (ICO) could investigate. In some cases, that could result in a large fine for companies who’ve broken the rules. However, the ICO’s powers don’t stretch to issuing compensation for anybody affected by the breach.

The only way you will be compensated is if you make a successful claim against the organisation that has caused you to suffer. If you decide to take legal action, you will need to adhere to the relevant time limits. Mostly, claims need to be made within 6-years from the date you obtained knowledge of the breach. However, if the claim is made on the basis that your human rights were breached, you’ll get just 1-year to claim.

There are various ways pharmacy data breaches could occur and we’ll review some within this guide. Examples range from letters being sent to the wrong patient through to cybersecurity breaches caused by criminal activity.

If you would like help with making a claim, our specialists are here to support you. If you call our data breach claims team, you’ll get free legal advice after your case has been assessed. Should there be sufficient grounds to proceed, we could partner you with a personal data breach lawyer from our panel.

What Are Data Breach Claims Against Superdrug Pharmacy?

To be eligible to claim compensation, you won’t just need to prove a GDPR data breach took place, you will also need evidence to show that you’ve suffered damage either financially or mentally, such as suffering from distress, anxiety or depression.

Data breaches are defined as security incidents that result in personal information being disclosed, altered, lost, destroyed or accessed in an unauthorised manner. You could claim for any suffering that results regardless of whether the breach was illegal, accidental or deliberate.

We often think of data breaches as being linked to cybersecurity problems. For example, breaches commonly result when hackers use ransomware, viruses, malware, key loggers or phishing emails to gain access to computer systems.

However, as we’ll demonstrate later on, physical documentation is also covered by the GDPR. That means you might be eligible to claim if an email or letter containing personal information about you is sent to the wrong patient.

Importantly, the GDPR says that it covers any data that might help to identify a data subject. Data that could directly identify a patient includes names, NHS numbers, telephone numbers, addresses and email addresses. Data that might indirectly identify somebody can include information about your age, disability, gender, sexual orientation or ethnicity.

What Is Third Party Sharing Of Pharmacy Patients Data?

When you sign up with a GP, they may ask you to consent to your prescriptions being sent to a pharmacy electronically. This gives them a lawful reason to share your personal data.

However, there may be times when a pharmacy could share your personal information without your consent. This could include if there is a risk to your life or somebody else’s.

If the pharmacy shares your data without consent, you could be eligible to claim for any suffering that results. That might be the case if your data is shared with marketing companies or organisations conducting medical trials without your agreement.

If you would like us to check if you have a valid reason to proceed to a claim, please call our specialists today.

ICO Enforcement Action Taken Against Pharmacies

While a potential Superdrug pharmacy data breach was reported, it didn’t lead to ICO action. Therefore, in this section, we will discuss a case where the ICO fined a pharmacy £275,000 for breaking data protection rules.

The London-based pharmacy, Doorstep Dispensaree, was found to be storing around half a million documents in containers that were unlocked at the rear of its premises. These documents contained information such as names, NHS numbers, addresses, phone numbers, prescriptions and medical information.

As we mentioned earlier, data controllers have a duty to implement security procedures to keep personal data safe. Therefore, in this case, the containers should have been locked.

The company argued that the containers were kept within the pharmacy’s premises so they didn’t need locking. However, it was found that residents in the flats above could easily gain access to the yard if using a fire escape.

The company was fined and issued an enforcement notice to improve upon its data protection practices.

Source (1): https://www.theguardian.com/business/2018/aug/22/superdrug-targeted-by-hackers-who-claim-to-have-20000-customer-details

Source (2): https://ico.org.uk/media/action-weve-taken/mpns/2616742/doorstop-mpn-20191217.pdf

If you think you’ve been harmed because of a pharmacy data breach, why not call us today? We’ll review your chances of claiming, provide free legal advice and explain your options for free.

Calculating Compensation Claims For A Data Breach By A Superdrug Pharmacy

Now it’s time to look at compensation that could be paid for suffering caused by data breaches. In this section, we are talking about the harm caused by psychiatric injuries like depression, anxiety or Post-Traumatic Stress Disorder (PTSD).

Some important decisions were made in the Court of Appeal case of Vidal-Hall and others v Google Inc [2015]. Those decisions were that you are able to claim for mental injuries regardless of whether you lost any money—a departure from the previous legal position. It was further decided that when valuing mental damage stemming from a data breach, consideration should be given to compensation awards made in personal injury claims.

Our table, therefore, contains information from the Judicial College Guidelines which is used when valuing personal injury claims.

Claim TypeSeveritySettlement RangeFurther Details
Psychiatric DamageSevere£51,460 to £108,620In this range, the overall prognosis will be very poor. Victims will have serious issues coping with life and work. Also relationships will suffer, treatment won't help and they will be vulnerable in the future.
Psychiatric DamageModerately Severe£17,900 to £51,460The victim will suffer similar issues to those detailed above. However, their medical prognosis will be more optimistic.
Psychiatric DamageLess SevereUp to £5,500Minor psychological symptoms such as stress or anxiety that resolve within a few weeks or months.
Post-Traumatic Stress DisorderSevere£56,180 to £94,470The victim will suffer permanent symptoms in this category. They include mood disorders, flashbacks and also suicidal ideation that prevents them from working.
Post-Traumatic Stress DisorderModerate£7,680 to £21,730This compensation bracket is for cases where similar symptoms to the above exist, but, with professional help, things could improve so the prognosis is better.

As you will need to prove the extent of your suffering, you will have to participate in a medical assessment during your claim. This will be carried out by an independent specialist such as a psychiatrist or doctor, and if working with us, will be arranged as close to your home as possible.

During your meeting, your medical notes will be used to look at the injuries that have already been diagnosed. Then the specialist will try to establish a prognosis by asking questions about any continuing symptoms.

Once the assessment is over, a report will be sent to your lawyer setting out the specialist’s findings. This will be used to both evidence your case and value your injuries.

Types Of Compensation Which Could Be Awarded To Data Breach Victims

The process of claiming for data breaches can be quite tricky. The main reason is that, not only do you need to explain what suffering has already occurred, the future needs to be considered too. That’s because you can only make a single claim. After it has been settled, you cannot request additional compensation later on.

Generally, data breach claims are split into two. The first part is called material damages. This is based on any money lost or expenses incurred as a result of the data breach. Non-material damages are the second part and look at pain, suffering and loss of amenity caused by psychiatric injuries.

When looking at financial losses, you’ll probably begin by calculating a figure for the amount you’ve already lost. Then you may have to look at if you’ll continue to suffer in the future. For example, if your information is sold on the dark web by criminals, financial losses may build up until you’ve managed to switch all of your accounts.

In a similar fashion, non-material damages claims will usually begin with injuries that have already been diagnosed. Then you may need to use your medical report to claim for future suffering too. For example, if your prognosis says you’re likely to be affected by anxiety for a few years, then this will need to be added to your claim.

All in all, we believe that having a legal specialist on your side would make the claims process easier. That’s because they’d be able to determine all of the different ways in which you’ve suffered before your claim is submitted.

If you want to find out if a data breach solicitor from our panel could represent you, please get in touch. Our legal advice is free, and you won’t be under any obligation to proceed with a claim.

How To Report A Pharmacy To The Information Commissioner’s Office

As we have mentioned, the ICO has the authority to investigate companies that have been involved in data breaches. However, there is a process you need to follow before contacting them.

In the first instance, you will need to complain directly to the pharmacy you believe has leaked your information. After you have received their response, you can either accept their findings or escalate your complaint. Once you have used all escalation paths, and 3-months have passed since you last heard from the company, you could ask the ICO to look at your complaint.

If they agree to do so, the company involved could be fined if found guilty of breaking data protection laws. That doesn’t mean you will receive any compensation though. For that, you will need to begin legal action against the company separately.

To find out if we could help you proceed to a claim, please call our team today.

No Win No Fee Claims For A Data Breach By A Superdrug Pharmacy Data Breach

Something that can worry potential claimants is how much taking on legal representation will cost. To remove a lot of that worry, our panel of data breach lawyers offer a No Win No Fee solution for claims they take on. This service allows you access to legal specialists but, at the same time, lowers your financial risk. In turn, that means your claim should be a lot less stressful.

Before the lawyer can accept your case, it has to be reviewed. If it is suitable, the lawyer will prepare a Conditional Fee Agreement (CFA) for you—the official title for a No Win No Fee agreement. The CFA shows you what the lawyer has to achieve before you need to pay them. Moreover, it states that:

  • Claims can start quickly due to the fact there aren’t any upfront charges.
  • Your lawyer’s fees are not requested while your claim is being worked on.
  • You don’t need to pay your lawyer’s fees if the claim doesn’t work out.

You will only have to pay your data breach solicitor if they win compensation for you. Even then, you don’t have to send any money to them. Instead, your lawyer will retain a small percentage of your compensation to cover the cost of their work. This is called a success fee. It is capped by law and your percentage is listed in the CFA so you will be aware of it before agreeing to move forward.

Why not ask an advisor if your claim is suitable for a No Win No Fee service today?

How A Data Breach Solicitor Could Help You Make A Claim

The complexity of data breach claims might cause you to worry about proceeding. You shouldn’t be put off though. Our advice is to take on specialist legal representation. If your claim is taken on by a specialist lawyer from our panel, they will:

  • Review your claim with you to fully understand how you have been affected.
  • Gather evidence to support your claim.
  • Arrange for an independent medical assessment to be carried out locally.
  • Collate and file your claim with Superdrug Pharmacy.
  • Deal with the pharmacy’s insurer on your behalf.
  • Try to make sure that you are paid the maximum amount of compensation possible.

To find out more about how we could help, please call our specialists today.

How To Get Help If Affected By A Pharmacy Data Breach

In this section, we will briefly reiterate our advice on starting a GDPR data breach claim.

In the first instance, you should complain directly to the Superdrug pharmacy in question. Then you should escalate your complaint if you don’t receive a satisfactory response. After 3-months have passed since you heard from the company, you could begin your own legal action.

If that is how you would like to proceed, we can help. A quick call to our team will give you a good idea about the validity of your claim. If it is taken on by a lawyer from our panel, they will explain whether you’ll need to escalate your complaint to the ICO.

Talk To Our Team

You have almost completed this guide on Superdrug Pharmacy data breach claims. Hopefully, you now know what you would like to do next. If you are considering claiming, Legal Helpline is here to support you. To start the ball rolling, you can:

You can reach out to us 24-hours a day, 7-days a week. During your call, you will receive free legal advice. There will be no pressure on you to proceed, but if you decide to continue, we’ll support you throughout the claims process.

Pharmacy Data Breach Claim FAQs

To help you further, we have added some frequently asked questions in this section. If you would like to ask anything that’s not covered here, please get in touch.

How much does it cost to make a claim?

Making a personal data breach claim doesn’t cost anything per se. However, data breach solicitors could improve your chances of being compensated at the right level. If you use a No Win No Fee solicitor, you will pay them a legally capped percentage of your compensation as a success fee.

Will I have to pay anything if my claim is not successful?

When using No Win No Fee services, you only have to pay your solicitor if you receive compensation. Therefore, if your claim does not succeed, you won’t need to pay your solicitor’s fees.

How do I start my claim?

To start a personal data breach claim, you could ask a data breach solicitor to help. They will review your case and explain if you have the grounds and the evidence necessary to proceed.

Are there time limits for making a claim?

There are time limits that apply to GDPR data breach claims. In general, there is a 6-year limitation period. However, cases linked to breaches of your human rights have a 1-year time limit.

Where To Learn More

Thank you for reading about why you could claim compensation following a GDPR data breach by a Superdrug pharmacy. In the final part of this article, you will find resources that might prove useful in the future. If you have any further requirements, please get in touch using the number above.

Superdrug Privacy Policy – Information on how and why Superdrug will use customer information.

Subject Access Requests – This article explains how to make a SAR and what information you’re allowed to ask for.

Anxiety UK – This registered charity supports anybody who is affected by anxiety disorders.

To show how else Legal Helpline could support you in the future, we have listed some more of our articles below:

GDPR Data Breach Compensation – Free legal information on claiming for damage suffered as a result of a GDPR data breach.

Bank Data Breach Claims – This article explains how a bank data breach could arise.

Housing Association Data Breach Claims – Information about why you might be compensated if you’re the victim of a housing association data breach.

Thank you for reading our guide to Superdrug Pharmacy data breach claims.

Guide by BH

Edited by REB