Data protection breach at drs surgery - compensation?

[peony90]

Hello

A few months ago, I was told by an acquaintance that a woman who she was friends with (who was in the year above me at school and in the same year as my Husband) had told her personal things on my medical record. She is a receptionist at the surgery I used to be at.

The acquaintance knew how many miscarriages I’d had (not a number you could just pluck out of nowhere), what medication I was taking and how I was hospitalised in a psychiatric unit and the woman in question called me a “psycho” and divulged highly sensitive information about an overdose I took after losing another pregnancy in 2021 as well as both of my parents unexpectedly.

This is being fully investigated and they’ve admitted and confirmed that there was a data protection breach (I’m guessing her staff log in was recorded as opening my medical records when she had no reason to) but I’m still waiting to hear of the full outcome.

I am devastated, embarrassed and upset and my aunt who works for the NHS has advised me to seek compensation once the investigation is completed.

I still suffer from anxiety and depression which is usually well controlled however since the birth of my 2nd DD 6 months ago, I have been suffering PND and this has really knocked me. My antidepressants have been put up to a higher dose and I’ve needed anti anxiety tablets for the first time since 2022.

What would you do?

Long term user, name changed.

It is gross misconduct and the person involved should be disciplined for inappropriately accessing patient records and breach of confidentiality. GDPR normally applies to incidental sharing of personal data, not deliberate actions, but you can make a complaint to the practice data controller and ICO and be compensated if appropriate.

OP this is awful, so sorry your private medical information has been breached in this way. I hope the surgery sack the member of staff concerned after their investigation.

Have they (the surgery) offered you any support during this upsetting time?

No, I’m not.

I’m outraged on your behalf. How dare anyone in a position of trust trawl through medical records for malicious tittletattle.

Ignore the posters that say compensation won’t help. Money or the thought of losing money is the only way organisations will become more compliant with legislation

I Hope that person is no longer working for the NHS

I think compensation is appropriate in this case actually, and I think you should spend it on counselling to help you move on from it. What a terrible thing to have happen, I’m so sorry

Claims are usually handled separately via bodies established (eg NHS Resolutions) it’s not the GP funding it personally.
plus this mythical free hour with a solicitor - you won’t get anything useful for free. I recently spent hours on the phone trying to find someone to speak to and ended up paying £800 plus for a merits of claim (which was still just an outline of the relevant law and not any indication of merit, which would cost more)

Talk about victim blaming. IF any compensation is coming from the nhs/taxpayers that's on the person who breached ops data, not op!

I'm sorry you have gone through this.
Your confidential information should have remained confidential, and not used as some inside gossip between pals. Disgusting behaviour. 😡

I hope your complaint was taken seriously, and the receptionist has been sacked! 🙏
I would never have claimed compensation, but in this case I think you are right to do so.
If you like a PP said, do indeed need it for therapy, or if you wish to donate it to a certain charity etc then you do what you think is best. 💐

I told my husband about this thread and his response...? They won't take it seriously unless she hits them in their wallet. - enough said. 👏

Wishing you the best. @peony90

OP the best thing to do here is to seek legal advice from a recommended solicitor or perhaps from the Citizens Advice Bureau. You really do need information from a qualified professional rather than an internet forum.

Yes you are. I posted earlier up the thread about this, stated by the Information Commissioner's Office:

The GDPR gives you a right to claim compensation from an organisation if you have suffered damage as a result of it breaking data protection law. This includes both “material damage” (e.g. you have lost money) or “non-material damage” (e.g. you have suffered distress).

If you remain dissatisfied after the Practice’s investigation (which you may not) you can complain to the ICO and then the Public Service Ombudsman.

In terms of what remedy would be available it would be primarily financial remedy. There are some very naive posters on here that don’t seem to realise that the NHS pay out billions in compensation each year. In terms of the person at the Surgery who leaked your information it is unlikely that they will be sacked although this kind of security breach is taken very seriously. You probably won’t find out how she will be impacted as that is her personal information.

Good luck. It seems to me that you are entitled to compensation and will likely be offered some but don’t get too emotionally sucked into the complaints process as it can take a lot out of people.

Maybe even ask a representative to take it over for you.

I think it’s awful if the person who divulged the information doesn’t lose their job. It’s a sackable offence, and they should lose it. It’s not the same as an accidental recording in the records, it’s deliberate.

Do you know this lady op. Personally In your private life? I’m trying to work out why she did it.

amd yes. Comp is fair. And yes you should treat yourself with it. Or your babies.

I don't really have an opinion either way on if you should or shouldn't claim compensation. But one thing to think about is that making a claim will mean all of your mental health history is gone through and questioned, that can be alot for someone all struggling, don't make a decision just yet op, sit on it and decide what you could or couldn't cope with

The above is not correct. It will be a paper-based exercise and you could have very little to do with it if you chose to. You can complain through the relevant regulators highlighted above. You wouldn’t need to go apply through the courts unless you chose to. The bigger problem is that it can take a long time which people generally find stressful. But you may be happy with the response from the GP practice without having to escalate in any case.

Have they sent you official response from the surgery’s Data Protection Officer?

I would. Im fact you should think about instructing a solicitor to make sure you are correctly compensated, given your mental health history.
It's disgraceful. I'd want to know how often they actually audit staff log ins vs the need to access records.

No it's highly likely they will be sacked if proven that they were responsible. This is gross misconduct and taken very seriously.
Whether the practice can be held to blame for malicious behaviour of an employee is another matter. This is assuming they had been given information governance training and systems were password protected.

Please speak to a law firm that deals with data breach claims. There are plenty. They will probably be able to do a "no win no fee" arrangement for you.
Of course you should seek compensation that was incredibly private and sensitive information

I wouldn't be looking for compensation myself though I understand why you would.

But this situation is utterly outrageous, and I would certainly be looking for the woman concerned to be prosecuted under the GDPR laws, she has committed a serious criminal offence.

Not necessarily, an astute GP surgery should offer a decent amount of compensation and not try and resist the claim where the breach has been proven and the harm is clear

If you do get compensation don't feel like you have to give it to charity.
You could use it for therapy to work through the extra anxiety this has caused, or anything else you need.

@peony90 you absolutely shouldn't feel you have to give the compensation to charity. It's yours! To compensate you for the very real harm caused. You can spend it on something frivolous, or a holiday, or just savings.

I received compensation for an injury that will be with me for life. I used some for physio, some on a lovely holiday, and some to take a sabbatical from work to give me breathing space to recover and also make a plan to shift career direction

Don't let mealy mouthed people guilt you into feeling you have to give the money away. The fault lies entirely with the awful lady who gossiped

That’s positive. I assumed she will join a union (if not already in one) and am aware it’s very hard to sack people in the public sector after probation is complete. But it’s certainly easier on a security breach than on poor performance.