This guide will explain the steps you can take if your medical information is shared either accidentally or unlawfully. In some cases, you may be able to seek compensation. We will explore the criteria that must be met in order to do so.
My medical information was shared, could I make a claim?
As a data controller, healthcare providers have a responsibility to protect your personal data. This includes your medical data. The responsibility they have also extends to data processors.
A data controller decides on the purpose for processing and sometimes processes it themselves. A data processor acts on behalf of the data controller. If they fail to adhere to the responsibility they have as set out by data protection law, causing your personal data to become compromised and resulting in you suffering mental harm or financial loss, you may be able to seek compensation.
The Information Commissioner’s Office upholds the rights and freedoms of data subjects. They can also take enforcement action against organisations who fail to comply with data protection law.
For more information, please get in touch with an advisor. You can contact us by:
- Calling on 0161 696 9685
- Making an online enquiry about claiming
- Using our live chat feature below to ask an advisor a question.
Select A Section
- What Is A Medical Data Breach?
- How Could Your Medical Information Have Been Shared?
- Your Right To Seek Compensation
- How Long After Your Medical Information Being Shared Could You Claim?
- What Is The Average Payout If Your Medical Information Was Shared?
- Can I Claim With A No Win No Fee Agreement?
What Is A Medical Data Breach?
A personal data breach involves a security incident causing the availability, integrity or confidentiality of your personal information to become compromised.
Personal data is any information that can be used to identify you, such as your name, email address, phone number and postal address. Additionally, there is other personal data that requires more protection due to it’s sensitive nature. This is known as special category data and includes personal information that relates to your health, such as HIV data.
As such, a medical data breach is an incident that can involve personal data relating to your health becoming compromised. There are many incidents which can lead to this type of breach. However, for the purpose of this guide, we will focus on breaches where medical information was shared without a lawful basis.
Under the Data Protection Act 2018 (DPA) and the UK General Data Protection Regulation (UK GDPR), data controllers and data processors have a responsibility to protect your personal data. As part of this responsibility, they should take different measures to protect personal data, such as:
- Training staff to handle data responsibly and avoid breaching personal data.
- Password protecting devices and keeping printed documents containing personal data securely stored away.
- Keeping cyber security systems up to date to reduce the risk of cyber attacks.
Additionally, they must have a lawful basis for processing your personal data.
If their is a failure to comply with data protection law, it could lead to your medical information being shared accidentally or unlawfully. Call us for more information on the steps you can take should this happen.
How Could Your Medical Information Have Been Shared?
There are six lawful bases for processing personal information. However, whilst organisations must have a lawful basis for processing, the basis they process under will depend on their purpose.
As such, data controllers don’t always need your consent to process. Instead, they may have another lawful basis for sharing your medical information, such as vital interests which means the processing is necessary to protect someone’s life.
However, medical information could be shared without an organisation having a lawful basis to do so. It could also be done accidentally. This is known as a human error data breach.
Below, we have provided examples of how a medical data breach could occur:
- A lack of training could mean a receptionist sends an email containing information relating to your health to the wrong person.
- A doctor verbally discloses information about a patient’s medical condition from their records to someone who should not have access to this information.
- A hospital posts a patient’s medical test results to the wrong address.
It’s important to note that not all incidents of a data breach will form the basis of a valid claim. To learn whether you could seek compensation, continue reading. Alternatively, get in touch on the number above.
Your Right To Seek Compensation
If your medical information was shared in a way that breaches data protection law, you might be eligible to seek compensation. However, you must be able to prove that:
- A data controller or processor failed to adhere to data protection law.
- The failings of a data controller or processor led to your personal information being compromised in a breach.
- As a result, you sustained monetary losses or a psychological injury.
If your case meets the relevant criteria, you may be able to make a data breach claim. Article 82 of the UK GDPR sets out your right to seek compensation for the damage you have been caused by a data breach.
We have explored the compensation you could receive further in our guide. Read on to learn more.
How Long After Your Medical Information Being Shared Could You Claim?
When making a claim after your medical information was shared, you should be aware of the time limit to start a claim.
Generally, you have 6 years. This is reduced to one year if your claim is against a public body.
For more information on whether you have enough time to start a claim, get in touch on the number above.
What Is The Average Payout If Your Medical Information Was Shared?
Generally, after making a successful claim, your settlement could include compensation for material damage and non-material damage. Each of these heads of claim compensates for the different ways in which the personal data breach affected you.
Compensation for material damage accounts for the financial losses you incurred as a result of the personal data breach. This can include loss of earnings if you have had to take time off work while recovering from the emotional harm you sustained due to the breach of your personal data.
Compensation for non-material damage accounts for any psychological injuries you sustained as a result of the personal data breach. This can include, stress, anxiety and post-traumatic stress disorder in more severe cases.
The table below contains compensation brackets from guidelines published by the Judicial College. These brackets correspond with different types of psychological harm and are often used by solicitors to help them value the non-material damage head of claim. We have used these figures in the table below. However, you should only use them as a guide because your actual award could differ.
| Type Of Harm | Guideline Compensation Bracket | Further Information |
|---|---|---|
| General Psychiatric Damage - Severe (a) | £54,830 to £115,730 | The person has experienced marked problems across all parts of their life. The expectation for recovery is poor. |
| General Psychiatric Damage - Moderately Severe (b) | £19,070 to £54,830 | The person will experience problems that are significant. However, the expectation for making a recovery is better than in more severe cases. |
| General Psychiatric Damage - Moderate (c) | £5,860 to £19,070 | There are similar issues as in more severe cases. However, there will have been significant improvements made. |
| General Psychiatric Damage - Less Severe (d) | £1,540 to £5,860 | The compensation awarded accounts for how long the person is affected and to what extent. |
| Reactive Psychiatric Disorder - Severe (a) | £59,860 to £100,670 | There have been detrimental impacts across all parts of the person's life. |
| Reactive Psychiatric Disorder - Moderately Severe (b) | £23,150 to £59,860 | With professional intervention the person makes some recovery and has a better prognosis. |
| Reactive Psychiatric Disorder - Moderate (c) | £8,180 to £23,150 | The person will have recovered to a significant degree. If there are any persisting issues, they won’t be grossly disabling. |
| Reactive Psychiatric Disorder - Less Severe (d) | £3,950 to £8,180 | A mostly full recovery takes place in a period shorter than 2 years. |
For more information on the data breach compensation you could receive, get in touch on the number above.
Can I Claim With A No Win No Fee Agreement?
If you have a valid claim, you may be able to access the services of a solicitor from our panel under a type of No Win No Fee agreement. The type they offer their services under is known as a Conditional Fee Agreement (CFA).
Under this type of arrangement, you do not pay for the services your solicitor provides if the claim fails. If it succeeds, your solicitor will take a success fee, which is capped by the law, from your compensation.
For more information on working with a solicitor from our panel or to discuss what steps you can take if your medical information was shared, you can:
- Call 0161 696 9685 to speak with an advisor
- Fill out the form to make an online enquiry
- Speak with an advisor via the live chat function below.
Learn More About Data Breach Claims
Please feel free to look at these resources to learn more.
- Bank data breach compensation claims
- My data privacy was breached by a GP surgery, could I claim compensation?
- After an employer breach of data protection, what are my rights?
- Advice for being data aware from the Information Commissioner’s Office
- Your right to be informed if an organisation is using your personal data
- Information on opting out of sharing your health records
For more information on the steps you could take after your medical information was shared, get in touch on the number above.
Written by HC
Edited by MMI