Data protection breach at drs surgery - compensation?

[peony90]

Hello

A few months ago, I was told by an acquaintance that a woman who she was friends with (who was in the year above me at school and in the same year as my Husband) had told her personal things on my medical record. She is a receptionist at the surgery I used to be at.

The acquaintance knew how many miscarriages I’d had (not a number you could just pluck out of nowhere), what medication I was taking and how I was hospitalised in a psychiatric unit and the woman in question called me a “psycho” and divulged highly sensitive information about an overdose I took after losing another pregnancy in 2021 as well as both of my parents unexpectedly.

This is being fully investigated and they’ve admitted and confirmed that there was a data protection breach (I’m guessing her staff log in was recorded as opening my medical records when she had no reason to) but I’m still waiting to hear of the full outcome.

I am devastated, embarrassed and upset and my aunt who works for the NHS has advised me to seek compensation once the investigation is completed.

I still suffer from anxiety and depression which is usually well controlled however since the birth of my 2nd DD 6 months ago, I have been suffering PND and this has really knocked me. My antidepressants have been put up to a higher dose and I’ve needed anti anxiety tablets for the first time since 2022.

What would you do?

Long term user, name changed.

The NHS is funded by tax payers, including me. Think about where the money comes from. If you seek compensation, everyone on Mumsnet will be paying your compensation. Why would we do that? It isnt my fault. Also, think about what the money you want could do for the NHS. It sounds like sadly you have used the NHS a lot - would you be happy to find out the treatment you receive is substandard because money that should have been spent on your care was spent on compensation for one member of staff's misdemeanor? I'm not belittling what has happened and I would absolutely be pushing for that person to be disciplined (and almost certainly fired). But I can't see how paying you cash helps you or the NHS.

The receptionist will be sacked. I don’t think compensation is appropriate.
You have had a tough time but how much do you think you should get ? Money won’t make you feel better.

This is a breach of patient confidentiality by a rogue colleague rather than a GDPR breach as such (unless the receptionist claims that she had never received any information governance training from her employer). It is still totally unacceptable and the recrptionist will likely lose her job.

I previously experienced something similar involving raw therapy notes that were shared with my GP without my knowledge or consent. The notes contained false allegations and highly damaging comments about my husband - (I had no idea at the time these comments were in the notes)I eventually discovered they had been accessed after someone who knew a friend of mine mentioned the comments, and I was then able to see the notes myself on my NHS app.
I pursued every available complaints process - including PALS, the ICO and the Ombudsman, but ultimately got nowhere. It felt as though the organisations were protecting one another rather than properly addressing the issue.
There is now a flag on the record acknowledging that a data breach occurred, but the damaging notes themselves and my complaint letters all remain on my file/NHS app which is so invasive. I was told there was an investigation into the staff member involved, although I have never been informed of the outcome. I considered legal action not because I wanted compensation I wanted the notes removed or redacted.

You wouldn’t get compensation for this, and nor should you. This is a deliberate and malicious act by one person, it’s not the NHS’s fault - there was no breach of systems or error made. You haven’t suffered any financial loss or medical harm. You should be outraged that this person looked at your information, and they should lose their job due to gross misconduct but what do you think you should be paid compensation for, exactly?

Sorry this happened OP.

She'll lose her job and rightly so. Whst a horrible and grossly unprofessional thing for her to do.

If it was about your appendix and an ingrown toenail, I think there's no cause for compensation but your fertility and mental health are so personal and deeply private.

I suspect you will be offered compensation when the investigation concludes and rightly so. They are probably checking all records to see if there are other instances too.

Fair play to the lady who told you - hopefully it stops this happening to others.

Because those acting for the tax payers have a responsibility to act in accordance with the law. If the tax payers dont demand secure systems everyone suffers. It acts as a warning to others.

The GP surgery should have control mechanisms built in to ensure records are only accessed when a business need to do so. Ie booking an appointment. They should be doing spot checks on data accessed at other times. Conduct training

It might. If her PND has been exacerbated the claim may include cost of treatment. Plus she can use the damages to do something nice like have a holiday which can assist in getting past such a horrible experience.

@peony90 see a firm of solicitors that specialise in data breach and psychiatric injury claims. They will likely do it on a CFA (where you don't pay them unless you win) as liability won't be in issue

What a revolting comment to make. Perhaps fair compensation for the OP might assist with therapy to help with the damage caused to her by the surgery employee’s unlawful acts?

I have precious little time for hurt feelingz complaints. But medical providers in general and the NHS, as a public body, in particular should be held to the highest of standards. All staff should be fully aware that patient confidentiality is an absolute; having a nosey around medical records is indefensible and then telling someone else should be a criminal offence with jail time as the automatic punishment.

It’s not just about the OP and the harm to her, it’s about the undermining of a public service where it is vital the public have confidence in the confidentiality of their records. If this means that the NHS changes its contracts so that all members of staff are personally liable for any costs incurred from data breaches that have arisen from them having a browse of a person’s notes and then gossiping about those notes then so be it, because it’s fucking apparent to anyone with a functional brain cell that is wrong.

Go for everything you can OP, because it’s the only way public services learn.

Doctors surgeries are now private businesses so yes you should be compensated and if you aren’t take them to court without worrying you’re taking money from the NHS as it’ll be a private business who can cope with that and will be well insured too!

Of course employers should be held responsible for the conduct of their employees, especially when it seriously affects service users!

This.

I'd want the person sacked. There hasn't been any medical negligence to sue the NHS for and as far as I'm aware you cannot sue for distress.

Try one of the no fee no win medical helplines because it's a big thing.

I have a company willing to take me on for medical negligence resulting in physical damage to me. I have a 3 year window to make the claim.

I'd rather just piss off and put it all behind me. Mine involved tge surgery, the pharmacist, the specialist referred to...

So no, I don't think you have a chance of any compensation. An apology and the person being sacked is probably all that could happen.

They are, they can be fined for the data breach. It used to be £400, No idea what it is now, but was it a company data breach?

No. It was all down to one terrible employee.

Yes, you can get compensation for distress.

From the Information Commissioner's Office:

The GDPR gives you a right to claim compensation from an organisation if you have suffered damage as a result of it breaking data protection law. This includes both “material damage” (e.g. you have lost money) or “non-material damage” (e.g. you have suffered distress).

Money sharpens things, giving it away hurts and should make the practice train their staff regularly and remind them often
of their duties and confidentiality and what happens after a breach.
for the OP she can keep any monies and use them for therapy like a PP said or to pass to a charity in support of a good cause. She can also keep and spend any compensation how she sees fit

That’s not how it works. When you claim against the NHS (for medical negligence, for example), any compensation comes from NHS Resolution, which acts like an insurer. All NHS trusts pay premiums in return for cover in case someone makes a successful claim. They have to pay these premiums whether there are any claims against them or not, so OP claiming compensation will not affect the amount of funding available for direct services at all.

Alternatively, if the GP practice is a private company, they will have insurance that will pay out, again not affecting money available for NHS services.

Talk to Irwin Mitchell. I'm not completely sure how it works with GPs as they are self-managed, but the NHS has a well run compensation section, well funded insurance, and nobody should be made to feel guilty for obtaining appropriate recourse.

I assume the board informed ICO? They will have their own punitive measures.

I didn’t expect so many replies so quickly.

I’m not a grabby person at all and if I was to get any compensation, I’d split it 3 ways to charities close to my heart. Mind Charity, our local children’s hospice and Tommy’s.

I am lucky enough that we can afford a holiday once a year with our children, I do not need the money for a holiday and I’m not interested in buying myself anything. The children have savings accounts we pay in to. Our bills are up to date, we have food in the fridge and can turn the heating on when needed. I am aware that I am extremely lucky to be able to live like this when so many others cannot due to cost of living (we are not rich by any means and my DH works his butt off at our business to provide for us).

I may not have suffered financial loss but I’ve suffered a lot worse with my mental health since this all came out wondering how many people who know of me now think I’m a “psycho”, know that I went to a psychiatric hospital to get help because I didn’t want to be here anymore (before my children were born), know how many miscarriages I’ve had, she even told her that my DH and I had separated and it’s true we had. I’d spent months laying in bed, signed off work, rotting away, curtains shut and I refused to get help. He was exhausted by trying to help me when I didn’t help myself and I get why he left, I was killing his mental health too.

He supported me through my inpatient treatment and he was waiting with open arms when I left. We had marriage counselling and we were and still are better than ever.

We have since been blessed with 2 little miracles after almost 10 years of trying and miscarriages in the double figures with no medical explanation.

I’m currently battling PND and trying to keep my head above water with the help from my psychiatrist and this tipped me back over the edge. Somewhere I never want to be again. So whilst I did not experience a financial loss, I lost my grip of my anxiety and PND which is way worse, I promised myself I’d never go back to this dark place now that I’ve got children and here I am. How many others who know me or DH has she told this highly personal and sensitive information too?!

I know it's easy for me to say but don't let this lady take away from your recovery.

You have a strong relationship, two wonderful children. You've fought difficulties and come out the other side.
Don't lose sight of that because of what happened.

I don't think anyone she may have told will judge you. The judgment will be reserved for her and rightly so.

Seeking help and recovery us the furthest thing from "phycho" - it's brave and commendable and may give hope to others who may be struggling.

The money doesn't come from the NHS, most doctors surgeries are privately owned, they will have insurance for this kind of thing.

I agree

OP I think compensation is a great idea. And you shouldn't feel obliged to give it all to charity. If the distress has made your PND worse or made it harder to enjoy time with your baby, hindered your social life or otherwise made things harder, then using some of it to have a time you'll enjoy will help to right the scales to some extent. Also, if some counseling over how you feel about what happened would help you move on, that's also a useful and important thing to spend the money on.

As well as the ability of compensation to help you get to the place you were at before it happened, getting compensation also helps put pressure on the surgery to put better controls in place. I have seen this sort of thing happen before. It's never a real surprise. Colleagues and managers overlook telltale signs of unprofessional behaviour because they don't want to go through the rigmarole of managing properly and ensuring the office culture is watertight. Having to pay out compensation or increased insurance fees can really sharpen minds around this sort of thing.

I used to work in hospital medical records department. This is illegal, it’s not just a lose your job type situation. Its a criminal offence and can even lead to a prison sentence. I would definitely seek legal advice.

I am currently going through something similar where a person has put something false on my medical record. I found out by chance a couple of weeks ago, it occured late 2024. Compensation has not crossed my mind, I just want my medical record corrected and have said as such. I have an hour meeting regarding it next week. I think the NHS has enough problems, the amount paid in compensation is huge & sometimes deserved. My own sisters child suffered a preventable birth injury that will have lifelong effects. I have not suffered anything like a permanent disability, I wouldn't consider compensation. It just feels wrong. I don't want a fuss even though the surgery are taking it very seriously, I just want it deleted. Why do you think you deserve money? I dont think I do, yes it was a shock but I am not going to need physio, operations etc like my sisters child. I think you need to think, well I do that the NHS is taxpayer funded, we all pay. I fully support my sister as her child requires extra care, may never live independently she has been through hell. They actually asked her and her DH if they wanted resuscitation attempted. They are a bundle of nerves watching for any sign she cant do something eg hear (she can't 100%). Compare that to what one lone individual did to you and me, it makes you think who should get some of the finite money. I don't think I should. The person involved should definitely be disciplined, sacked I would hope, but you can't blame the entire NHS.