Guides & articles NHS or Medical Data Breach Compensation: Everything You Need to Know Before Starting Your Claim

Peter Hammond Peter is a solicitor who has worked as a professional litigator for many years. More recently Peter has specialised in data breach compensation claims and over the last 2.5 years has gained a wealth of knowledge in this sector. Peter now works with us to share his knowledge and inform the general public.
NHS or medical data breach compensation

Medical data breaches have become more common over recent years as the healthcare sector is increasingly moving online. This has made it a valuable target for hackers and cybercriminals. As a result, recent statistics have revealed that the UK health sector makes up almost half of all data breaches nationally. However, figures from the ICO (Information Commissioner’s Office) show that the main cause of healthcare data breaches is actually human error, and these mistakes are just as likely to happen offline as they are online.

Types of medical institutions you could claim against

  •       GPs
  •       Pharmacies
  •       Dentists
  •       Hospitals/ NHS Trusts
  •       Individual healthcare staff
  •       Private health companies
  •       Opticians

Previous examples of medical data breaches and the consequences

When a data breach occurs, the consequences for compromising and putting patient data at risk can be very serious. The ICO, upon investigation, can respond with severe actions like heft financial penalties and prosecutions.

Name of the company Amount they were fined
Brighton & Sussex University Hospitals NHS Trust £325,000
Belfast Health and Social Care Trust £225,000
Bupa £175,000
Bayswater Medical Centre £35,000


Brighton and Sussex University Hospitals NHS Trust

The penalty against Brighton and Sussex was at the time the largest medical data breach compensation in the UK. The organisation had to pay £325,000 as a fine after they were subject to a breach that released hard drives full of healthcare information. The thieves put the hard drives on eBay for sale, which gives you an idea of the potential risk to those affected.

Belfast Health and Social Care Trust

Belfast Health and Social Care Trust, had to pay a hefty amount of money to compensate for the loss of sensitive information. They were fined £225,000, which at the time was the second highest fine for this type of breach. The Trust experienced a medical data breach when thousands of patient records were found abandoned in a disused hospital.


Bupa faced a significant fine for not having sufficient security measures in place to protect their customers’ personal details.

Bayswater Medical Centre

Bayswater Medical Centre received their fine for leaving extremely sensitive information in an empty building. This was highly unprofessional and reckless as anyone could have got patients private medical details out of that building.

Other medical data breach examples

  •       A former employee of a doctor’s surgery inappropriately accessed the records of both patients and other staff members
  •       A GP surgery received a £40,000 fine after it exposed confidential information about a woman and her family to her estranged ex-partner
  •       An ex-nursing auxiliary accessed her neighbour’s medical records without any valid legal reason

Are you due compensation for a medical data breach?

Cybercriminals are always finding new ways to successfully infiltrate companies and access unauthorised data. However, this doesn’t completely exonerate healthcare organisations. If they have all the necessary measures in place and have done everything in their power to keep your data safe, it is unlikely that any claim you started would lead to compensation. In situations where they don’t have robust security processes in place, putting patient data at risk, they need to be held to account for this negligence.

That is why it would be advantageous to wait for the results of any ICO investigation before starting a claim. In the majority of cases, medical data breaches occur because of human error and the failure to have suitable and secure processes.

What compensation could you claim for?

You could make a claim for lost medical records compensation UK if a healthcare organisation has failed to protect your personal details, no matter if you have suffered as a result of the breach or not. However, in circumstances where you have experienced financial losses, medical harm, anguish or anxiety, a more serious case can be made.

Financial losses

A medical data breach, like an NHS data protection breach, has the potential to result in both financial and identity theft. The impact of either of these can be devastating. If they gather enough of your information, cybercriminals could apply for credit in your name, set up fraudulent bank accounts, and gain access to your existing accounts.

Emotional distress

If you haven’t incurred any financial losses, that doesn’t mean you definitely don’t have a claim for medical data breach compensation or that you haven’t suffered. A personal breach of your data is like the digital version of being burgled. With that in mind if a criminal broke into your home and stole sensitive details about you, you would feel distressed. So, why would you feel any less upset when your medical data has been involved in a breach?

Being the victim of a crime can have a serious effect on your mental and physical health. For some individuals, symptoms of distress could include not being able to sleep, feeling ill, constantly on edge or unsettled or confused. Stress can also impact external factors in your life like friends, family, and even your job.

The full extent of a medical data breach is not always immediate

In data breach cases, the full effects are not always felt straight away, and it can be months after the violation the complete extent of it is realised. This often happens where sensitive medical information is accessed, experiencing this type of data breach can lead to adverse life events further down the line. For example, a confidentiality breach could result in needing to move house or area, losing a job, relationship stress or separation, and distancing from family and friends. All of these factors can mean the victim ends up with a diagnosable psychological injury, and this typically occurs several months after the breach.

Can you sue the NHS for a data breach?

The NHS helps thousands of people around the country everyday and no one really wants to sue it. However, the vast amount of information we share with healthcare organisations is enough to leave us vulnerable to the serious threat of fraud, anxiety, and stress, meaning NHS data breach compensation can often be claimed.

Given that the large majority of data breaches in the NHS are caused by human error, more needs to be done to make any organisations found to be lacking in data protection measures by the ICO be held to account for the harm they have helped to cause.

As well as this, in the modern digital age we are in today, any and all personal information is valuable. So, when this private data is accessed without permission, people have a right to NHS data breach compensation. Compensation can be pursued whether they have suffered actual or potential, financial loss or psychological effects because of an NHS medical data breach.

Can you claim compensation for a GP data breach?

Like with other medical organisations, GP surgeries have an obligation to keep your data safe and out of reach of any unauthorised third parties. If your GP surgery has not kept to this obligation, you may be able to start a claim. You could have a claim if your surgery has mishandled your sensitive data or exposed it by not following GP data protection guidelines.

Can you make a claim for compensation for loss of medical records?

Lost medical records compensation in the UK is a weight issue within medical and personal data law. Your medical records may have been inadvertently deleted, misplaced, or stolen, any of which is a form of medical negligence.

This is a serious problem and could be dangerous if you go into surgery with a doctor who does not have fully up to date medical records about you. Or you could get a misdiagnosis because your doctor has not had access to your family history. For reasons like these, being able to claim NHS compensation is extremely important.

How can your medical records be lost?

There are multiple ways in which a hospital or doctor could lose your medical records. Some of these ways include:

  •       A stolen employee’s or medical professional’s laptop
  •       A mistake in a delivery
  •       Forgetfulness (human error)
  •       Hacking and,
  •       Even because the elimination of the data did not happen correctly

Why is losing your medical records so dangerous?

The main reason why the lost medical records are so dangerous is that it inhibits your doctor’s ability to fully diagnose and treat you. Ensuring records are kept confidential and safe is just one of the areas of care they need to handle sensitively. The information needs to be readily available to your doctor for a good reason. This means that if it goes missing completely, or even parts of it are lost it can be dangerous to your health and the care you are getting from your doctor. With the help of the professional data breach solicitors, we refer you to, you can make a claim for lost medical records compensation UK.


We can put you in contact with expert solicitors that have dealt with a substantial number of medical data breach cases. Their extensive knowledge and experience will ensure you are given the best chance of success when you make a claim for medical data breach compensation. 

Guides & articles What to do when your manager or employer shares your personal information with other employees UK

Peter Hammond Peter is a solicitor who has worked as a professional litigator for many years. More recently Peter has specialised in data breach compensation claims and over the last 2.5 years has gained a wealth of knowledge in this sector. Peter now works with us to share his knowledge and inform the general public.
employer shares personal data with other employees

Employers hold a substantial amount of private data about their employees, and sadly, this data doesn’t always stay private. If an employer or another employee misuses your information or enables it to end up in the wrong hands, this can result in very serious consequences. 

Data breaches in the workplace can be related to pay and conditions, sickness and absenteeism, disciplinary and grievance disputes, and even personal medical information which has been inappropriately shared and/or disclosed. Anyone whose personal details have been breached within a workplace might have suitable grounds to claim compensation.

We can put you in touch with expert solicitors who have extensive experience in workplace data breaches where an employer has been sharing personal information with other employees and other instances of private information being compromised in this manner. Examples of the types of workplace data breaches our recommended solicitors can help you with include:

  •       Documents left in communal work areas or on top of shared printers
  •       Information being sent to the wrong email recipients, whether that be internally or externally
  •       Employers or employees misusing confidential data that relates to other employees, customers, or any other individuals
  •       Personal details being accessed by an unauthorised third party in a cyber attack caused by the employer or employee’s negligence
  •       Failing to properly dispose of or destroy confidential data which has led to it ending up in someone else’s hands

A data breach in the workplace can be very distressing and have serious consequences for those involved. In a lot of cases, these data breaches are simply caused by human errors, which can make living with the aftermath even more upsetting.

On top of the potential financial implications the event of an identity theft or financial crime can have, there is a great deal of emotional distress involved. Compensation, therefore, can be essential to help people who have suffered an employee data breach pick up the pieces and get their lives back on track. If a workplace has failed to protect your private data, we can help you make a claim for the compensation you deserve.

If you are an employer who has been the victim of a data breach click here for more information.

How do workplace data breach compensation claims work?

Understanding whether you are eligible for compensation

If your employer, HR, or someone else in your workplace has been responsible for an employee data breach, you will likely be entitled to claim compensation. Workplaces are obliged to have strict procedures in place to prevent, detect, report, and investigate any personal data breaches.

Security measures should be set that are suitable for the data being held, including introducing strong passwords and encrypting electronic data. Also, workplaces should tightly control who can access sensitive data, ensuring this is limited to those within the company that have a genuine need to access that specific data.

What can you claim for?

Financial losses

If your personal data is illegally accessed through a breach of employee information, it could potentially lead to financial crime and even identity theft. This is because cyber criminals can use the information they have gathered about you to apply for credit in your name, set up fraudulent bank accounts, and access your existing accounts. You could incur significant financial losses, and you can claim compensation for those losses.


Having your personal data stolen can have a big impact on your mental and physical wellbeing. It is common for individuals who have suffered a data breach to be unable to fall asleep and feel ill, unsettled, or confused. This type of emotional distress can be very serious, and so damages can be sought as a result.

The process of a claim

The first step in a workplace data breach claim is for the organisation responsible to be contacted by our recommended solicitors on your behalf. In this initial stage, any findings from the ICO can be used to help when speaking with the organisation. When it has been established that a breach has occurred and the consequences of that breach for you have been fully assessed, value can start to be placed on your claim.

In a lot of cases, workplace and employee data breach claims can be settled without having to follow court proceedings. However, if a settlement can’t be reached, court proceedings might be needed to secure your compensation.

Can you sue your employer for disclosing your personal information?

The Data Protection Act 2018 details that employers can only collect personal data that is thought to be ‘adequate, relevant, and necessary’, and to highlight any detrimental effects on the privacy of an individual. The DPA also states that any organisation that is using personal data must prove that:

  •       Employees were informed of the purpose and reason for this use of personal data
  •       Employees were provided with a clear explanation of how their data would be handled

Employees also need to freely consent to their data being used, meaning you could be in a position to take action against your employer if your personal data was disclosed without your permission.

Guides & articles What data breach risks do social media platforms pose?

Peter Hammond Peter is a solicitor who has worked as a professional litigator for many years. More recently Peter has specialised in data breach compensation claims and over the last 2.5 years has gained a wealth of knowledge in this sector. Peter now works with us to share his knowledge and inform the general public.
What data breach risks do social media platforms pose?

There has been an increase in recent years in social media users’ concern about their privacy. Data breach incidents have alarmed many users and encouraged them to rethink not only their relationship with social media but also the security of their personal information. The many examples of data breaches that are tied to social media have steadily corroded public trust and led to a lot of users questioning whether they have lost control over their own data.

A recent study revealed that 80% of social media users are concerned about businesses and advertisers accessing and using their social media posts and details. Growing privacy concerns have prompted advocacy for tighter regulations and have made companies responsible for safeguarding personal data under more scrutiny.


What are the possible threats and risks to privacy on social media?

Cyber criminals are well versed in tricking social media users to hand over their sensitive information, stealing personal data, and gaining unauthorised access to users’ private accounts. Some typical threats that can be a risk to social media users are:

Data Mining

Everyone leaves a data trail behind them on the internet. Each time a person creates a social media account they provide their personal details which can include their name, date of birth, geographical location, and interests. Also, companies actively collect data on user behaviours i.e., when, where, and how users interact with their platform. This data is then stored and leveraged to better target advertising to their users. In some cases, companies will share their users’ data with third party entities, often this is done without the users knowledge or permission.

Phishing Attacks

Phishing is one of the most common ways for criminals to get sensitive information from you. Typically, they will contact you by an email, text message, or phone call and present themselves as a legitimate organisation. They then trick you into sending your personal data to them, including passwords, bank details, and credit card information. Phishing attacks can often pose as social media platforms. An example of this is in August 2019, a huge phishing attack targeted Instagram users by pretending to be a two-factor authentication system and pushed users to log in to a false Instagram page.

Malware Sharing

Malware is designed to gain access to computers and the data they contain and will be used to steal sensitive information, extort money, or profit from forced advertising once it has infiltrated the system. Social media platforms are an ideal delivery system for malware distributors. As soon as an account has been compromised, cybercriminals can take over and distribute malware to all of the user’s friends and contacts on the social media platform.

Bot Attacks

Social media bots are automatic accounts that create posts or follow new people whenever a specific term is mentioned. A large group of bots can form a network called a botnet. Bots and botnets are prevalent on social media platforms and are used to steal data, send spam, and launch DDoS (distributed denial of service) attacks that will allow hackers to gain access to people’s devices and networks.  


How can you protect your data on social media?

Millions of people around the world use social media everyday and with that there will always be the risk of your personal information falling into the wrong hands. However, there are things you can do to mitigate the risk of this happening as much as possible.

1) Close down accounts you don’t need and don’t open new accounts unless it is completely necessary

If you find yourself not using a social network, consider deleting both the account and the application from your devices, so there is no chance of any inadvertent data sharing: social media networks could in theory access all information and activity on your phone. Also, try to limit the number of social media networks you use so that your data isn’t spread out all over the internet.

2) Know your friends

On certain social networks like Twitter this is difficult, on Facebook, however, make sure you are only friends with people you know and trust and regularly review your friends list to limit who sees what you’re sharing.


3) Pay attention to your privacy settings

In the past privacy settings on social media have been lacking and difficult to navigate but companies like Facebook have slowly been making it easier to limit who sees your personal data to trusted friends, and Twitter and Instagram as well as other platforms give you the option to limit who can see your posts and who can follow you. You should also check your privacy settings regularly as there have been incidents of them suddenly and inexplicably changing.


4) Share as few identifying details about yourself as possible

Professionals like to use their name and place of employment to build a reputation on LinkedIn and other social platforms but if you can avoid doing this you should. Cybercriminals can guess your work email address or even your personal one with this information and launch targeted phishing attacks that will seem all the more credible with a description of your job that you likely provide on your profile. You should always make sure that your privacy settings are at a level that you feel comfortable with and only connect with people you have a professional relationship with.


5) Don’t use your social profiles to log into other websites

Even though it might be more convenient to click the “log in with Facebook” option instead of creating a new account, this exposes you to possible security risks that become more serious when you consider that every time you share your data across platforms you are pooling more and more into a single location. Be mindful that all of the Facebook data and any other data you have shared on other accounts using your Facebook credentials may be accessed by cybercriminals if the third-party site is hacked.


Social media platforms are a popular and common way to stay up to date with friends and family, but they do pose risks when it comes to data breach. Therefore, it is important to be aware of the risks and what you can do to minimise them as much as possible, so you can enjoy social media in the safest way possible. 

Guides & articles How Can You Protect Yourself From Further Harm Following a Data Breach?

Peter Hammond Peter is a solicitor who has worked as a professional litigator for many years. More recently Peter has specialised in data breach compensation claims and over the last 2.5 years has gained a wealth of knowledge in this sector. Peter now works with us to share his knowledge and inform the general public.
tattooed man on phone

Being a victim of a data breach can often mean you are more vulnerable to fraudulent attacks by cybercriminals. However, if your personal data has been compromised in a breach there are things you can do to protect yourself from further incidents. Knowing the steps to take when you have been part of a breach could mean you don’t have to face any further repercussions or stress after already having your information taken.

Protecting your finances

If you know your financial details have been accessed during a data breach the first thing you should do is contact your bank and or credit card provider. Alerting them to the situation will mean you can stop your transactions and possibly change your details quickly and easily should there be any purchases made with your details.

This leads into the next step you should take, checking all your bills and emails for goods or services you know you have not ordered and check your bank account for unfamiliar transactions. Naturally, if you do see any transactions or orders you don’t recognise you should contact your bank or credit card provider straight away.

It is also important to keep an eye on your credit score, as if a cybercriminal takes out credit in your name without you noticing another way, there could be a noticeable dip in your credit score. You can contact credit reference agencies like Experian or Equifax to check credit has not been taken out in your name that wasn’t you.

Extracting further financial information can be a significant threat when it comes to the aftermath of a data breach, so it is important to know what to look out for to avoid them. You should never provide your PIN, full password, or any other information that someone asks you for, even if they claim to be from your bank. Also, you shouldn’t feel pressured into moving money into another account for fraud reasons.

Your real bank would not ask you for these details or complete a transaction of this nature. It is vital that you don’t reveal any personal details until you have confirmed the person’s true identity and they are from the company they say they are.

Phishing attacks and further attempts to get your information

Even if your financial details were not accessed during the data breach, criminals can use the personal information they do have to try and pose as a company you know to get more information from you to potentially commit fraud. Below are some steps and key points to keep in mind when your data has been breached.

  •       If the organisation that breached your data provides security instructions you should follow them
  •       Don’t click on any links or downloads from emails or text messages that look suspicious, and you don’t know
  •       Delete any old accounts that you don’t use anymore to limit your data exposure
  •       Never assume an email or phone call is authentic just because the person has your contact details
  •       Stay alert and be careful who you trust, criminals can often use scare tactics in an attempt to trick you into revealing your security details
  •       Even if you recognise a name or number from someone contacting you it might not be genuine
  •       Don’t feel rushed or pressured into a making a decision, a trustworthy organisation would not force you to make a financial transaction straight away
  •       Trust you gut instincts and question anything that does not feel right to you
  •       Contact your bank on a number you know and trust to check if a communication was genuine
  •       Be cautious of communications that refer you to a web page asking you to input personal data
  •       Review your online privacy and security settings


Secure data protection practices to prevent further threats

There are ways in which you can keep your data more secure following a data breach to stop the situation escalating and more threats of cyber attacks being able to occur. These include:

  •       Changing your passwords regularly and using a strong, different password for every account (a password manager can you help with this)
  •       Keeping your internet security software up to date to protect your devices
  •       Registering with the Cifas protective registration service to slow down credit applications that could have been made in your name


If you think your data has been involved in a breach and you want to make a claim for compensation contact us today. We can put you in touch with expert solicitors that can confirm whether you have a valid claim that is worth pursuing. Even if the breach has not led to any direct financial losses you are still entitled to make a claim for any distress having your data breached has caused you. 

Guides & articles Can I sue for data protection breach?

Peter Hammond Peter is a solicitor who has worked as a professional litigator for many years. More recently Peter has specialised in data breach compensation claims and over the last 2.5 years has gained a wealth of knowledge in this sector. Peter now works with us to share his knowledge and inform the general public.
can I sue for data protection breach?

The short answer to this question is yes. The GDPR was introduced in May 2018 to ensure personal data is not misused, destroyed, disclosed, or lost. So, if you think your data has been treated in this way and not fully protected you have the right to sue a company and receive compensation for the data breach.


Data breach compensation

Under GDPR law if a company that is holding your data suffers a data breach, you could be entitled to claim data breach compensation if you have experienced some form of a loss as a result. Or if you have suffered with mental health symptoms like anxiety or emotional distress because of your data being breached.

It can be difficult to know if your personal data has been breached sometimes as every situation is different. You will know it is a data breach if your personal data is lost, destroyed, accessed, or disclosed in an unauthorised way whether that is deliberate or by accident by someone inside or outside the organisation. Data breaches can involve:

  •       Personal health information
  •       Medical documents
  •       Social services documents
  •       Financial information
  •       Sensitive, protected, or confidential information


Who can you claim against for a breach of data protection?

You can make a claim for a data breach against an individual or an organisation either in the public sector, private sector, or charitable sector. In some cases, there can be more than one defendant. Usually, GDPR claims and data breach claims are settled out of court, but each situation is different.


How much can you claim in data breach compensation?

The amount of compensation you can get will depend on the type of data breach and how it has impacted your life both financially and mentally. The law in this area is currently under development and the courts are yet to provide any specific guidelines on what will be awarded to data breach claimants. However, damages awarded in employment discrimination cases can offer some guidance on the subject and is divided into three bands.

  •       £900-£8,600 for less serious cases where the incident was just a one off, for example:

        Disclosure of an individual’s name, date of birth, home address, and email address, £1,000-£1,500

        Disclosure of information linked to a medical data breach, £2,000-£5,000

        Disclosure of financial information, £3,000-£7,000 depending on the effect of the breach


  •       £8,600-£25,700 for a breach that is more serious than the first band.
  •       £25,700-£42,900 if there has been a protected pattern of default, which has caused depression or other illnesses. Medical evidence would be required to support this alongside evidence to back up any other losses such as earnings.


What happens if the organisation doesn’t pay the compensation?

If you have a strong case against an organisation for a data protection breach and they are refusing to pay the compensation you next step would be to make a claim in court. The court would decide your case and if it agreed with you it would decide whether or not and how much if applicable it would have to pay you in compensation. It is strongly recommended that you take independent legal advice on the strength of your case prior to taking any claim to court. We can help put you in contact with experienced data breach solicitors who can discuss with you whether your case is worth pursuing. Get in touch with us today to find out more.


Who should you inform of a possible data breach?

Data breach cases are not always straightforward and can require a bit more digging to get all the key details. If you suspect a data breach has occurred it is recommended that you contact the Information Commissioner’s Office (ICO), the UK’s data protection regulator and supervisory authority for GDPR compliance. The ICO can investigate the incident and determine if an organisation is at fault for the breach. This can be quite a slow process, but it can lead to an increased chance of a successful compensation claim. The ICO does not award compensation, to get compensation you need to make a claim against the organisation who breached your data.

However, a significant fine or a factual report from the ICO that the organisation in question is responsible for the data breach will be extremely valuable in your claim. You are not required to contact the ICO or wait for its investigation to end before you make a claim, you can bring a case against a company directly without involvement from the ICO. It will be more beneficial however to go through the ICO first to help strengthen your case.


What should you do if you are notified that your data has been breached?

  •       Change your passwords

If your data has been breached and you use similar log in information like usernames and passwords for other websites or online accounts, you should change those details straight away.

  •       Keep an eye on your bank accounts and credit report

You might want to watch your bank accounts and other online accounts closely over the next few months, particularly if you think or know that the breach involved financial details or other details the hacker could use to commit identity fraud. If you see anything unusual you should contact your bank immediately and explain that you have been a victim of fraud. Also, it is important to check your credit report to ensure credit isn’t taken out in your name.

  •       Be aware of scams

If you are contacted over the phone asking for personal details or passwords you should take steps to check their true identity. Ask them to give you details that only the company they claim to be calling from would know. For example, details of your service contract or how much you pay per month. Keep in mind that scammers could have access to more of your personal information than seems normal. So, if you are suspicious of the caller, hang up the phone, look up the company’s phone number, and ring them for yourself.

0333 070 5800
Lines open 9am - 5pm Mon to Fri

Egerton House, 2 Tower Road, G5D, Birkenhead CH41 1FN

Start My Claim

© DataBreach Claims . © DataBreach Claims 2022. Data Breach Claims is a trading name of SJS Legal Limited (company number: 10598802). SJS Legal is authorised and regulated by the Solicitors Regulation Authority (SRA Number: 639197). This website is operating in accordance to the privacy policy. ICO reg no. ZA473694. Data Breach Claims connects clients to regulated solicitors who deal with data breaches. We do not perform any legal services but simply connect you to a legal representative.

Check free if you're owed an average £4,000 refund

Start My FREE Data Breach Claim 100% Safe & secure, no win no fee check