Our collective has dealt with over 14,000 data breach cases

Call free

NHS or Medical Data Breach Compensation: Everything You Need to Know Before Starting Your Claim

NHS or medical data breach compensation

Peter Hammond, GDPR Solicitor

Peter is a solicitor who has worked as a professional litigator for many years. More recently Peter has specialised in data breach compensation claims and over the last 2.5 years has gained a wealth of knowledge in this sector. Peter now works with us to share his knowledge and inform the general public.

Medical data breaches have become more common over recent years as the healthcare sector is increasingly moving online. This has made it a valuable target for hackers and cybercriminals. As a result, recent statistics have revealed that the UK health sector makes up almost half of all data breaches nationally. However, figures from the ICO (Information Commissioner’s Office) show that the main cause of healthcare data breaches is actually human error, and these mistakes are just as likely to happen offline as they are online.

Types of medical institutions you could claim against

  • GPs
  • Pharmacies
  • Dentists
  • Hospitals/ NHS Trusts
  • Individual healthcare staff
  • Private health companies
  • Opticians

Previous examples of medical data breaches and the consequences

When a data breach occurs, the consequences for compromising and putting patient data at risk can be very serious. The ICO, upon investigation, can respond with severe actions like heft financial penalties and prosecutions.

Name of the company Amount they were fined
Brighton & Sussex University Hospitals NHS Trust £325,000
Belfast Health and Social Care Trust £225,000
Bupa £175,000
Bayswater Medical Centre £35,000


Brighton and Sussex University Hospitals NHS Trust

The penalty against Brighton and Sussex was at the time the largest medical data breach compensation in the UK. The organisation had to pay £325,000 as a fine after they were subject to a breach that released hard drives full of healthcare information. The thieves put the hard drives on eBay for sale, which gives you an idea of the potential risk to those affected.

Belfast Health and Social Care Trust

Belfast Health and Social Care Trust, had to pay a hefty amount of money to compensate for the loss of sensitive information. They were fined £225,000, which at the time was the second highest fine for this type of breach. The Trust experienced a medical data breach when thousands of patient records were found abandoned in a disused hospital.


Bupa faced a significant fine for not having sufficient security measures in place to protect their customers’ personal details.

Bayswater Medical Centre

Bayswater Medical Centre received their fine for leaving extremely sensitive information in an empty building. This was highly unprofessional and reckless as anyone could have got patients private medical details out of that building.

Other medical data breach examples

  • A former employee of a doctor’s surgery inappropriately accessed the records of both patients and other staff members
  • A GP surgery received a £40,000 fine after it exposed confidential information about a woman and her family to her estranged ex-partner
  • An ex-nursing auxiliary accessed her neighbour’s medical records without any valid legal reason

Are you due compensation for a medical data breach?

Cybercriminals are always finding new ways to successfully infiltrate companies and access unauthorised data. However, this doesn’t completely exonerate healthcare organisations. If they have all the necessary measures in place and have done everything in their power to keep your data safe, it is unlikely that any claim you started would lead to compensation. In situations where they don’t have robust security processes in place, putting patient data at risk, they need to be held to account for this negligence.

That is why it would be advantageous to wait for the results of any ICO investigation before starting a claim. In the majority of cases, medical data breaches occur because of human error and the failure to have suitable and secure processes.

What compensation could you claim for?

You could make a claim for lost medical records compensation UK if a healthcare organisation has failed to protect your personal details, no matter if you have suffered as a result of the breach or not. However, in circumstances where you have experienced financial losses, medical harm, anguish or anxiety, a more serious case can be made.

Financial losses

A medical data breach, like an NHS data protection breach, has the potential to result in both financial and identity theft. The impact of either of these can be devastating. If they gather enough of your information, cybercriminals could apply for credit in your name, set up fraudulent bank accounts, and gain access to your existing accounts.

Emotional distress

If you haven’t incurred any financial losses, that doesn’t mean you definitely don’t have a claim for medical data breach compensation or that you haven’t suffered. A personal breach of your data is like the digital version of being burgled. With that in mind if a criminal broke into your home and stole sensitive details about you, you would feel distressed. So, why would you feel any less upset when your medical data has been involved in a breach?

Being the victim of a crime can have a serious effect on your mental and physical health. For some individuals, symptoms of distress could include not being able to sleep, feeling ill, constantly on edge or unsettled or confused. Stress can also impact external factors in your life like friends, family, and even your job.

The full extent of a medical data breach is not always immediate

In data breach cases, the full effects are not always felt straight away, and it can be months after the violation the complete extent of it is realised. This often happens where sensitive medical information is accessed, experiencing this type of data breach can lead to adverse life events further down the line. For example, a confidentiality breach could result in needing to move house or area, losing a job, relationship stress or separation, and distancing from family and friends. All of these factors can mean the victim ends up with a diagnosable psychological injury, and this typically occurs several months after the breach.

Can you sue the NHS for a data breach?

The NHS helps thousands of people around the country everyday and no one really wants to sue it. However, the vast amount of information we share with healthcare organisations is enough to leave us vulnerable to the serious threat of fraud, anxiety, and stress, meaning NHS data breach compensation can often be claimed.

Given that the large majority of data breaches in the NHS are caused by human error, more needs to be done to make any organisations found to be lacking in data protection measures by the ICO be held to account for the harm they have helped to cause.

As well as this, in the modern digital age we are in today, any and all personal information is valuable. So, when this private data is accessed without permission, people have a right to NHS data breach compensation. Compensation can be pursued whether they have suffered actual or potential, financial loss or psychological effects because of an NHS medical data breach.

Can you claim compensation for a GP data breach?

Like with other medical organisations, GP surgeries have an obligation to keep your data safe and out of reach of any unauthorised third parties. If your GP surgery has not kept to this obligation, you may be able to start a claim. You could have a claim if your surgery has mishandled your sensitive data or exposed it by not following GP data protection guidelines.

Can you make a claim for compensation for loss of medical records?

Lost medical records compensation in the UK is a weight issue within medical and personal data law. Your medical records may have been inadvertently deleted, misplaced, or stolen, any of which is a form of medical negligence.

This is a serious problem and could be dangerous if you go into surgery with a doctor who does not have fully up to date medical records about you. Or you could get a misdiagnosis because your doctor has not had access to your family history. For reasons like these, being able to claim NHS compensation is extremely important.

How can your medical records be lost?

There are multiple ways in which a hospital or doctor could lose your medical records. Some of these ways include:

  • A stolen employee’s or medical professional’s laptop
  • A mistake in a delivery
  • Forgetfulness (human error)
  • Hacking and,
  • Even because the elimination of the data did not happen correctly

Why is losing your medical records so dangerous?

The main reason why the lost medical records are so dangerous is that it inhibits your doctor’s ability to fully diagnose and treat you. Ensuring records are kept confidential and safe is just one of the areas of care they need to handle sensitively. The information needs to be readily available to your doctor for a good reason. This means that if it goes missing completely, or even parts of it are lost it can be dangerous to your health and the care you are getting from your doctor. With the help of the professional data breach solicitors, we refer you to, you can make a claim for lost medical records compensation UK.


We can put you in contact with expert solicitors that have dealt with a substantial number of medical data breach cases. Their extensive knowledge and experience will ensure you are given the best chance of success when you make a claim for medical data breach compensation. 

Peter Hammond, GDPR Solicitor

Peter is a solicitor who has worked as a professional litigator for many years. More recently Peter has specialised in data breach compensation claims and over the last 2.5 years has gained a wealth of knowledge in this sector. Peter now works with us to share his knowledge and inform the general public.

We're ready to help you get the compensation you deserve

Alternatively, give one of our solicitors a call free on 0330 828 1764

Lines open 9am – 5pm Mon to Fri

Has your data been handled incorrectly?