Data protection breach at drs surgery - compensation?

[peony90]

Hello

A few months ago, I was told by an acquaintance that a woman who she was friends with (who was in the year above me at school and in the same year as my Husband) had told her personal things on my medical record. She is a receptionist at the surgery I used to be at.

The acquaintance knew how many miscarriages I’d had (not a number you could just pluck out of nowhere), what medication I was taking and how I was hospitalised in a psychiatric unit and the woman in question called me a “psycho” and divulged highly sensitive information about an overdose I took after losing another pregnancy in 2021 as well as both of my parents unexpectedly.

This is being fully investigated and they’ve admitted and confirmed that there was a data protection breach (I’m guessing her staff log in was recorded as opening my medical records when she had no reason to) but I’m still waiting to hear of the full outcome.

I am devastated, embarrassed and upset and my aunt who works for the NHS has advised me to seek compensation once the investigation is completed.

I still suffer from anxiety and depression which is usually well controlled however since the birth of my 2nd DD 6 months ago, I have been suffering PND and this has really knocked me. My antidepressants have been put up to a higher dose and I’ve needed anti anxiety tablets for the first time since 2022.

What would you do?

Long term user, name changed.

That's not the same thing at all.

I never understand. why this misconception is so common on MN. Of course you can claim compensation in the absence of actual financial loss. OP. would be entitled to compensation for mental stress and suffering, and for the exacerbation of her known mental health problems.

Why is it tawdry to expect compensation for injury? That's the only way corporations learn. Do you want your data accessed and leaked and then, "Soz," will be enough?

I think you’re right to persue compensation, providing that doing so won’t be to the detriment of your health further. The surgery are more likely to ensure there’s not a repeat if this impacts them financially. This js a really severe example of a data breach, the person has actively obtained this information for the purpose of gossip.

I will say, this other person isn’t a friend though. I’m not clear why they told you in this way, or even engaged in the conversation with the receptionist in the first place. I would’ve shut that down, and I wonder how reliable this person is as a friend if they didn’t.

Oh theres always one isnt there. How would you like your private medical issues bandied around town?
You should be ashamed of yourself. I bet you're a real nasty piece of work

OP this is a serious breech of the NHS's duty of care, especially given how sensitive the information is and your circumstances.

I would seem compensation but please don't give the money away. You may need it now or in the future, eg to fund help with your mental health.

Please be assured, most people will not think you are a "psycho" for being an inpatient at one point, they will be sympathetic, and should be shocked at what this stupid receptionist did.

If I was friends with the receptionist who did this I'd report them immediately and they'd no longer be my friend. She is the one who should be ashamed, what an utterly stupid and unprofessional thing to do. She certainly should never work for a public body again.

Whilst it's not the fault of the GP practice that she is a nosy cow, I'd probably speak to a solicitor to see what they think in the first instance to see if you have a case. Honestly I'd hope she loses her job, karma has a way of dealing with such folk.

It may not be their fault that she's a nosy cow, but it is their fault in that they employed her and she was allowed to access patient notes.

I think you definitely have a case to pursue here @peony90 but perhaps consult a solicitor with medical expertise. Sorry this has happened to you and can understand why you're still upset

There’d be a psychological assessment as part of your claim that would consider whether there was a “clinically significant” exacerbation and what the functional impact was on your life. The psychologist would read in detail your medical records as well to try and determine causation. Essentially, has the data breach led to the proven significant worsening of your mental health or could the the course of your PND symptoms have been expected to follow this pattern even in the absence of the breach given your psychological vulnerability and so forth. What other contributing factors were affecting you at the time etc. The claim might fund a course of therapy for any exacerbation in symptoms.

You might find the process of solicitors / experts pouring over your records and writing reports about you as intrusive a process as the breach itself. It’s a stressful and lengthy process sometimes, with lots of appointments. Litigation itself can have an adverse impact on mental health. I’m not saying don’t pursue it, but just be aware of the process.

I am so sorry these things have happened to you - by that I mean both the sharing of your data but also your miscarriages and mental health struggles.

Claiming compensation in the NHS tends to elevate the seriousness of the issue and they deal with it quicker and with more lasting emphasis. If the GP surgery is a private partnership though I am unsure how far this will go.

I would absolutely claim though - in your current situation that money could help extend maternity leave, get you some regular childcare so you can have a break and rest and improve your current MH, or maybe pay for a holiday or break (for you, holidays with young children are no picnic 😂).

Good luck

I’m so sorry you’re going through this. If I knew you and heard this I’d be admiring your strength to go though such pain and get yourself to a place you want to keep living. I’d be judging the receptionist and my negative thoughts would be reserved for her.
i can only begin to imagine how upsetting and unsettling this has been.

Are you the receptionist? Disgusting comment after what she’s been through have some compassion!.

OP you have every right to seek compensation what she did was disgraceful hopefully she will lose her job. Makes you wonder how many more people she has done this to.

I don’t think you’d be likely to get compensation. I’m sorry this happened but compensation in the UK isn’t like in the US. You’d need to prove you’d suffered losses due to the data breach

Have you spoken to ico? She should have been sacked for gross misconduct.

She clearly has suffered losses - it’s exacerbated her existing mental health conditions for a start. Whether it’s worth pursuing, because of the arduous process, is a separate issue.

OP asked WWYD.
I would pursue an apology and getting the culprit fired.
I would not seek money.

GPs are not technically part of the NHS. They contract to it. I'm surprised your aunt didn't mention that to you.

When looking at the legal routes, you need to consider that. Ask the practice for their data protection policies if you've not been given them yet.

You need to produce evidence of quantifiable economic losses.

Yes, you should seek compensation. It’s not just about financial losses, it’s about the emotional impact that has had on you!
im so sorry for what you’ve been through and that someone in a position of trust has done this ❤️

You are misinformed.

OP I am so sorry for all you have been through. I would absolutely seek compensation in your shoes and quite frankly I wouldn’t donate it all, I’d use it to do lovely things for myself and with my family. I’m no expert but it’s my understanding that GDPR breaches incur big fines, you should be entitled to something and I hope you get it.

Money aside (as it’s clear that’s not the most important part of this for you) I hope you can in time start to move on from what this awful, spiteful, brainless arsehole has done to you.

Hold your head up high - you’re not the one who has done anything wrong.

I think getting compensation from them is the only way to make them suffer and learn, they won’t learn from a rap on the knuckles. My son has a claim against the NHS for the unnecessary death of his wife, the ambulance service admitted liability 3 years ago at the inquest and to date nothing has been settled, so don’t hold your breath.

Yes, seek compensation.

Mainly because doctors surgeries won't take this seriously enough unless there is some sort of financial consequence. The inconvenience of an investigation and finding a new receptionist isn't really enough. Perhaps their insurance premiums getting a little bit higher as a result and their surgery profit a little bit lower will help concentrate their minds.

People will bleat on "... Oh but the NHS" but if they just get away with that as an excuse every time they won't get any better.

In this case, money could help. Private therapy, extra childcare, even a holiday could make a difference to your wellbeing.
I hope you get compensation. Remember you have done nothing wrong and this receptionist should be feeling ashamed, and the surgery who did not train or monitor her sufficiently. Not you.

A medical receptionist will access 100s of patient notes per day and not just for booking appointments. These tasks may not be linked to an appointment. I really don't see how you could limit their access. Other staff members possibly, but not this role.

Patient records systems do keep an electronic audit but unless this person was searching on days they were not working or repeatedly searching for the same person it would be difficult to pick up.

Ultimately we have to rely on training and trust. GP staff often live in the area they work in and so this shoukd be drummed into them. At a recent information governance training session at my trust, we were told that 5 people had been dismissed that year for accessing records when no need to do so. If the practice can prove the staff member had had appropriate training, I doubt they will be deemed at fault.