Someone Shared My Medical Records – Can I Claim Compensation?
Has a medical facility shared your medical records without a lawful basis to do so? Lots of different organisations may have processed your health data, such as the NHS or a private healthcare clinic.
There are strict laws regarding the way that personal data must be processed and you could be entitled to compensation if the party concerned failed to follow them.
In this guide, we discuss how health data is classified as even more sensitive than other personal data. We look at the two main types of compensation you may be eligible for. Also, the evidence you would need to claim for them. If you have a specific question this guide does not cover please call our advisors for free legal advice:
- Calling our team on 0203 870 4868
- Contacting us online for a callback
- Using our ‘live support’ option bottom right.
Select A Section
- Does The UK GDPR Protect Health Data?
- Can Health Data Be Shared Without Consent?
- What Happens If Someone Gets Your Health Data?
- Can I Claim If Someone Shared My Medical Records Unlawfully?
- Average Settlements For Unlawful Sharing Of Data
- No Win No Fee Claims If Someone Shared Your Medical Records
The Data Protection Act 2018 and UK General Data Protection Regulation (UK GDPR) are laws that require data controllers, entities such as medical facilities, employers or banks that process your personal data, to protect its integrity, confidentiality and availability of it.
Personal data can be any detail that, when used independently or with other data could infer or reveal your identity. Data protection laws protect personal data, as we have mentioned, but they also cover a type of personal data that is sensitive such as special category data, which we will look at further in this section. For now, you will see below examples of general personal data:
- Name and address
- Email and contact numbers
- Bank, debit and credit card details
An independent public body called the Information Commissioner’s Office (ICO) regulates and enforces data protection laws. It can fine any organisation that fails to properly handle this data according to UK GDPR.
A personal data breach is a security incident that can be an accidental or deliberate act that affects your personal data, such as the destruction, alteration or sharing of data, as well as any information lost or stolen.
The controllers and processors who handle the data must act in a fully compliant and responsible way when processing data by meeting at least one of the 6 bases for lawful processing. In addition to this, the 7 Core Principles of UK GDPR state that data must be:
- Handled in a lawful, fair and transparent way
- Limited in the reasons for collection
- Kept to a necessary minimum
- Accurate and up to date
- Stored only for limited time
- Handled with integrity and confidentiality at all times
- Processed with personal responsibility by all involved.
Health data is classed as special category data. This means it must be processed with even greater care, given the potential for any harm a breach could cause the data subject. Therefore, this includes information such as:
- Diagnosis and prognosis reports
- Blood test results
- X-rays, CT scans and other medical readings
- Medication regimens
- Counselling or psychotherapy reports
- Genetic or biometric data
Central to a successful shared medical records data breach claim is being able to show where the data controller or processor failed to meet required data protection laws through action or inaction.
If the reason complies with one of the 6 lawful bases for data processing, sharing medical data may be appropriate. But because medical data is a special category, it must be processed with even more care and the UK GDPR applies added protection to personal data that is considered sensitive. This could be a ‘vital interest’ basis in medical scenarios.
For example, a doctor may need to share medical information in an emergency when the patient is incapable of providing consent. This could even possibly involve an outside healthcare professional, independent specialist or social services agency to help meet the patient’s needs.
The other lawful bases consist of:
- Legal Obligation
- Public Task
- Legitimate Interests
A successful shared medical records data breach claim will meet the following criteria:
- The data controller or the processor failed to comply with data protection laws
- Because of this, your personal health data was involved in a breach,
- This caused you to suffer emotional distress or mental health conditions
- Or you suffered financial losses.
Unlawfully shared medical records could mean that very personal information about you or your dependents may leak into the public domain. Once exposed, cybercriminals could have an opportunity to exploit it. This can be debts that are run up in your name or bank details used fraudulently, and funds stolen. In very severe cases, medical data can even be used to blackmail people.
Health data being breached can mean very personal information about a person’s health being exposed. This could have a very detrimental effect on a person’s mental health and could lead to conditions such as anxiety, depression and even post-traumatic stress disorder. The financial and emotional damage caused by such privacy violations can take months or even years for the victim to recover from.
Data breach cases can be complex and very detailed, and establishing exactly where a positive wrongful action occurred is not always clear. Speak to our advisors for help on this.
How Long Do I Have To Claim After Unlawfully Shared Medical Records?
As well as the potential complexity of shared medical records data breach claims, there are time limits to be aware of. There are currently 6 years to initiate a claim for a data breach. This reduces to 1 year in cases against a public body.
You can raise a complaint with the data controller as soon as you become aware of a problem. They must report breaches to the ICO within 72 hours of discovery if it infringes on your rights. Furthermore, they should inform the affected data subjects as soon as possible and you also have the option to complain to the ICO yourself.
There is not really an ‘average’ compensation amount for shared medical records data breaches. Any award that is given will depend on the strength of the evidence presented. With this in mind, there are two areas in which you could calculate damages:
These are financial losses. You will need documented proof to uphold your claims, such as bank statements, paid invoices or other proof of out-of-pocket costs directly associated with the data breach. This may include:
- Bank statements
- False credit set up in your name
- Counselling costs for the stress caused.
In addition to financial loss, a precedent case called Vidal Hall and Others v Google Inc recognised that emotional harm should be acknowledged on its own in data breach claims. Before this precedent case, there always needed to be a financial loss.
Below we have used the Judicial College Guidelines to create the table. It is often used by legal professionals when putting value to physical or mental harm suffered. When claiming for severe health conditions, a medical report may be needed to support your claim. Whilst not guarantees, the figures below show what could be possible:
|Description of Psychological & Psychiatric Damage||Severity Level and JC Guideline Bracket Award||Supporting Notes|
|Psychiatric Damage of a General Type||(a) Severe Level - £54,830 to £115,730||Impacted individuals will have significant problems with work, relationships or education.|
|Psychiatric Damage of a General Type||(b) Moderately Severe Levels - £19,070 to £54,830||Similar mental health issues as the bracket above but a better prognosis for recovery.|
|Psychiatric Damage of a General Type||(c) Moderate Levels - £5,860 to £19,070||A distinct improvement indicated by the time the case may need to be heard|
|Psychiatric Damage of a General Type||(d) Less Severe Levels - £1,540 to £5,860||Indicative of length of injury and specific phobias or anxiety issues.|
|Post-Traumatic Stress Disorder (PTSD)||(a) Severe Degree - £59,860 to £100,670||Permanent negative effects from the trauma that impact all areas of the person's life|
|PTSD||(b) Moderately Severe Degree - £23,150 to £59,860||Similar types of severity as above but some improvement seen after professional help and counselling.|
|PTSD||(c) Moderate Degree - £8,180 to £23,150||Generally a recovery with any remaining issues being manageable|
|PTSD||(d) Less Severe Degree - £3,950 to £8,180||A complete recovery within a 2 year period. Issues persisting beyond this being minor in nature.|
With this in mind, you may have apprehension about working with a solicitor. Will it be costly? What happens if your case loses? How complicated are data breach claims? A data breach solicitor working under a No Win No Fee agreement could offer a solution.
Condition Fee Agreements can offer a way to fund the service of your solicitor. No Win No Fee solicitors under a CFA only deduct a maximum 25% fee from any compensation awarded if the case wins.
Should the claim lose, generally, there is nothing owed to your solicitors. This could enable you to start a claim with expert help at no upfront cost. Find out more when you:
Healthcare Data Breach Claim References
- Where your medical records shared as a result of an email data breach?
- Did an organisation fail to redact your details before sharing them?
- When unsecured devices lead to breached data
- Read more on the Data Protection Act 2018
- Statistics show how common data breach incidents are
- Lastly, read more on tips for staying safe online.