has dealt with over 14,000 data breach enquiries

Call free

NHS & Medical Data Breach Compensation Claims – What You Need To Know

NHS or medical data breach compensation

In this guide, we will explain the steps you could potentially take should your personal data be compromised in an NHS data breach. For compensation claims following a data breach to be valid, you must satisfy the criteria that we set out later in this guide. 

This guide also includes information on what a breach of medical data is and how a breach could occur compromising your personal data.

Finally, we’ll discuss No Win No Fee claims and how one of our recommended data breach solicitors could help you claim following a breach. To learn more or to get started with a claim, contact our team today by:

  • Calling on 0333 241 2521
  • Contacting us online

What Are Medical Data Breach Compensation Claims?

Lost medical files

The personal data of UK residents is protected by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA).

These two pieces of legislation set out the responsibilities of data controllers, those who set the means and purpose for processing, and data processors, those who act on the controller’s instruction. 

Controllers and processors must adhere to data protection law when processing, handling and storing your personal data. If they fail to do so, it could lead to a personal data breach that compromises data concerning your health, including medical records. 

A personal data breach occurs when the integrity, confidentiality, or availability of your personal data is compromised in a security incident. Under the legislation mentioned above, data concerning your health is classed as special category data. This means it receives more protection than standard personal data, in part because the consequences of an event such as an NHS data security breach can sometimes be severe. 

How Can Medical Data Breaches Happen? 

Medical data breaches can happen in a number of ways, with examples of some common causes including:

  • Wrong postal address: If a letter containing your medical data is sent to the wrong postal address, this could allow an unauthorised party to access it.
  • Loss of records: If your medical data has been lost or misplaced, this could mean that your medical records are not available when needed.
  • Cyber security incident: If an organisation has inadequate cybersecurity policies in place, this could allow cybercriminals to hack into their systems and steal your personal data.


If there has been a failure to adhere to data protection law, the Information Commissioner’s Office (ICO) can take enforcement action against the organisation responsible. The ICO is an independent body that upholds UK data subjects’ rights and freedoms. Whilst they can investigate your concerns, they are not able to award compensation for the way a data breach has affected you.

Call our advisors to discuss the potential steps you could take if you receive a notification that your personal data was involved in an NHS data protection breach. Compensation claims could benefit from the help of a legal professional so call and have your case assessed for free today.

Who Could Make NHS Data Breach Compensation Claims?

Compensation for a medical data breach

In order to form the basis of valid medical data breach claims, you must be able to prove that:

  • The controller or processor processing your personal data did not meet their responsibilities as set out by data protection legislation,
  • This caused a personal data breach that affected your personal data,
  • You suffered harm as a result. This harm could be psychological, financial, or both.


You must also start your claim within 6 years. This is generally the time limit for beginning legal proceedings to claim compensation. Contact our team today to learn more.

What Evidence Do I Need To Prove A Data Breach Claim?

Collecting evidence is an important part of making a medical data breach claim. Some examples of evidence that you could use include:

  • A letter of notification informing you of the breach. 
  • Correspondence with the organisation responsible.
  • Correspondence with the ICO.
  • Medical reports that detail the psychological harm you suffered.
  • Financial documents illustrating the financial losses you suffered.


One of the benefits of choosing to work with a solicitor is that they can help you gather this evidence. To learn more about your journey to claim compensation, contact our team today.

Could I Claim On A No Win No Fee Basis For An NHS Data Breach?

NHS data breach claims

Our solicitors could take on your claim under the terms of a specific No Win, No Fee agreement. Whilst there are different types of these agreements, the one they offer is called a Conditional Fee Agreement (CFA), which allows you to access their expert services without paying any fees for their work upfront, as your claim continues, or if it fails.

However, should your claim succeed, your will take a success fee. The fee is taken out of your compensation as a small, legally capped percentage. This legislative cap ensures that you keep the majority of what you receive. 

To learn about how one of our solicitors could help you make a medical data breach claim, contact our team today by:

  • Ringing on 0333 241 2521
  • Contacting us online

NHS data breach compensation – FAQs

How much compensation can I expect from a medical data breach claim?

The amount varies depending on two factors.

  1. The severity of the data breach
  2. The impact it had on the victim


It is possible for the courts to award compensation for even non-financial losses, depending on the impact it had on the victim.


Do I need to prove harm with NHS data breaches?

You don’t need to. However, your compensation claims only benefit from being able to show evidence of how the breach has affected you. NHS data breach consequences can often be extremely serious, especially if the nature of that information is particularly sensitive.


How do I know if my personal data has been breached?

There are a few ways that you may find out that you’ve had a personal data breach via a company.

Informed by Company – The most direct and easy way to find out if an organisation is responsible for losing your personal data in a data breach is for them to outright tell you. They are obligated by the information commissioner’s office to be proactive and inform you if there’s a significant risk to your rights and freedoms. That being said, not hearing anything does not always mean you are safe.

Unusual Activity – A lot of services have safety nets that warn you about a log-in attempt if it seems too different from your usual modus operandi. For example, a log-in attempt from a different country whilst you should be asleep. Change your passwords, in this case.

Phishing Attempts – If you start getting emails that seem off, that want you to input information or are trying to lure you to log in when the company in question has never asked for such a thing before, you may be the recipient of a phishing attempt. Usually made in an attempt to get the last bits of information they need to fully hack an account.

News – Simply keeping your ear on the news means that you’ll likely hear about the data breach before even being informed of it.


How long do I have to make a medical data breach claim?

In the UK, making a medical data breach compensation claim has a time limit applied generally to each incident.

Six Years – This is the time scale given to typical data breaches.

One Year – This is the time scale given to a data breach that involves highly sensitive data, such as medical records, or financial information.

That being said, the time scale is given from the moment that you’re officially informed of the breach, or you begin the claim. So, if you had a data breach from ten years ago, but you were never officially told of it, you could still make a claim.


How long does the compensation claims process take?

The duration of a compensation claims process depends on several factors.

Complexity – Simple data breach claims that have clear culpability and failure to protect information can be solved in a matter of months. But when there are circumstances that are murky, such as disputed liability, or evidence that warrants severe consequences, you could be waiting for years.

Willingness to Settle – Settling out of court is a good way to bring a swift and decisive end to a data breach claim, or any other type of claim. However, depending on the offer and your lawyer’s advice, you may consider rejecting the idea.

Amount of Evidence Required – Sometimes, gathering sufficient evidence can take a long time, as you may have to wait for others to produce and send what you need.

Court Mishaps – Sometimes, due to time availability or other such circumstances, you may find that the court itself will push back or deprioritise your compensation claim.

Legal proceedings – There are set times for which certain actions in court must be taken. Oftentimes, these will add to a waiting period.

Volume of Claims – A big data breach means that many clients will be claiming compensation, meaning there’s next to no telling how long it will take to get through a lot of them. In order to make it easier on the courts, sometimes a group claim is formed to expedite the process.


What changes with the medical data breach claim if it’s due to a cyber attack?

The circumstances of a data breach under the context of a cyber attack alter the process by the following:

Method – If the breach was due to a cyber attack, then that means that someone has targeted the organisation. This brings into question who is at fault. If the company was following a trusted security plan to the letter, then culpability is a lot less than if a rogue employee or mishap caused the incident.

Extent – Cyber attacks deliberately attempt to gain a lot of information all at once, as opposed to the usually limited exposure that non-deliberate breaches are usually subject to. This can complicate things by increasing the workload by a huge amount.

Investigations – Considering cyber attacks usually steal a large amount of information, you will often find that the investigations will take a long while.


What rights do I have as a victim of a data breach?

You have the following rights as a victim of a data breach, according to the GDPR (General Data Protection Regulation) and the Data Protection Act 2018.

Right to be informed – The organisation responsible is required to inform you without unjustified delay if a breach could result in a high risk to rights and freedoms.

Right of Access – You have the right to ask the organisation about the extent of the information they have on you.

Right to Rectification – You have the right to ensure that the data they have on you is complete.

Right to Erasure – You have the right to ask the company to erase any and all information on you.

Right to Restriction of Processing – You have the right to request that the processing of your information be halted, but only during certain scenarios.

Right to Data Portability – You can request a copy of your personal data and have it transferred.

Right to Object – You can object to the processing of your personal data.

Right in Relation to Automated Decision Making and Profiling – You have the right to ensure that your personal data is being manipulated only by manual operators.

Right to Compensation – If you suffer from a data breach, you can exercise your right to compensation by making a data breach claim.

Right to Complain – You have the right to lodge a complaint to the information commissioner’s office.


Further Resources

For more helpful guides:


Or, for further information:


If you have any other questions about when and how to make a medical data breach claim, call an advisor at the number above.

Table of Contents

Eleanor Watts

Eleanor Watts is a skilled solicitor who specialises in handling data breach cases and leads the dedicated team at the Data Breach department. Her journey began at the University of Nottingham, where she earned her law degree, and later pursued her masters in law from the University of Law. Becoming a qualified solicitor in 2021 after completing her training, Eleanor's focus turned to data protection and privacy claims, a field she's excelled in since the implementation of GDPR in 2018.

Eleanor Watts

Eleanor Watts is a skilled solicitor who specialises in handling data breach cases and leads the dedicated team at the Data Breach department. Her journey began at the University of Nottingham, where she earned her law degree, and later pursued her masters in law from the University of Law. Becoming a qualified solicitor in 2021 after completing her training, Eleanor's focus turned to data protection and privacy claims, a field she's excelled in since the implementation of GDPR in 2018.

We're ready to help you get the compensation you deserve

Alternatively, give one of our solicitors a call free on 0333 070 5800

Lines open 9am – 5pm Mon to Fri

Has your data been handled incorrectly?