What would you do if you got a copy of someone else’s confidential GP records

[Twinkletoesandspaghettios]

No poll just wondering exactly what you would do?

The summary care report was in with mine and had name, address, DOB, full medical history including details on social services and CAMHS involvement

That’s not OK, and “human error” is never a valid root cause of an error.

There is always, always an underlying cause, be it incompetence, negligence, or more likely poor systems of work/inadequate checking processes etc.

I hope you are not one of my NHS colleagues.

They did not get away with it. I work in a surgery. I would need to report the breech, investigate how it happened, have an internal enquiry, discuss with all staff, maybe bring in new policies, retrain all staff and inform the other patient, fully document everything plus lots of other things.

The OPs mistake was informing the gp when it should have been the practice manager. The gp could choose to say nothing.

Firstly I would read it

I know you've dealt with it now, but I actually think the best thing here would just have been to shred it and not tell anybody. I wouldn't want someone getting in trouble for what was probably an accident/oversight. We've all made mistakes

I work in the NHS and I would have to report this as an incident and it would be thoroughly investigated. The person who's files were shared with you would receive an apology and they would be free to make a complaint as this is a serious data breach.

I would hope the GP would be following a similar procedure.

I would put it in my stove and burn it and then notify the GP about it. I would note down the NHS number and first and last initials first so I could tell the GP who it was so that they could notify them also.

This.

Absolutely shocking that you didn’t report this! If my medical records were being shared with another patient, I’d want to know that the GP surgery were being held to account and that a mistake like this didn’t happen again.

You should be able to check if you have the NHS app. Look under “Appointments” and it has a chronological list of entires including who added the entry; relevant codes for the activity (whether it’s a new diagnosis, change of treatment, invitation for vaccination/screening/therapy etc or activity initiated by patient such as completed online triage form) and content including outcome of interaction.

If you see my previous comment on the thread, this was the type of data breach I was involved in this week at the hands of my surgery - another patients triage form including NHS number, DoB and case identifier code, their free text request for treatment to the surgery and the outcome comment from a named Dr all uploaded to my medical records.

I’ve been told the process they will follow to investigate the breach, and that their DPO will make the decision whether to report themselves to the ICO or not. The practice manager also said they would make the patient whose data was breached would be informed aware and provide them with the complaints process in case they wish to raise a complaint.

This

Why is the OP assuming the GP surgery will cover this up? I work in healthcare and we are legally bound to report these things. We would a) apologise to both parties. B) ask you to delete/shred the info belonging to someone else. C) assess the damage that has been done to the other party whose information was shared. D) if the sharing of the information has caused harm, it would be viewed in a different light by the ICO and a fine might be needed but the bar for this is quite high. You just needed to tell the surgery and they will do what they need to do. No drama.

I can’t believe I’m reading posts like this! It’s massive breech and they would be interested. Those working in education and public services do data training every year for this very reason. Things like this absolutely should not happen. I’d be beyond livid if those were my notes. The patient deserves to be told and it definitely needs to be reported.

Yes you should report to the ICO, it’s a huge data breach!

I would definitely not do anything to make the person aware. It wpuldnt help anything, and might cause them a lot or worry and embarrassment depending on the contents of said notes.

It is a serious data breach .

Having GP notes or medical records sent to the wrong person is considered a serious data breach under UK data protection laws (UK GDPR). Because medical information is classified as "special category" data, its accidental disclosure poses a high risk to a person’s rights, privacy, and confidentiality. 1, 2, 3, 4]
Here is a breakdown of the situation:
Why It Is a Major Breach
Sensitivity: GP notes contain intimate, private health information.
Unauthorised Disclosure: This is defined by the Information Commissioner's Office (ICO) as a "loss of confidentiality," one of the most common and serious types of data breaches.
Human Error: Sending letters, emails, or test results to the wrong recipient is a frequent cause of breaches that often results in reprimands or fines for the GP practice. 1, 2, 3, 4]
What the GP Practice Must Do
Investigate: The practice must investigate how it happened and contain the breach (e.g., attempt to get the records back).
Report to ICO: They are likely required to report this to the ICO within 72 hours of becoming aware of the breach.
Notify the Patient: They must inform you ("the data subject") about the breach if it poses a high risk to your privacy. 1, 3, 4]
What You Should Do
Contact the GP Immediately: Inform them that you have received another patient's records (or that yours were sent to the wrong person).
Ask for a Formal Investigation: Ask the practice to escalate this to their Data Protection Officer (DPO).
Report to the ICO: If the GP practice does not handle your complaint satisfactorily, you can report the breach directly to the ICO. 1, 2]

You need to report it, you have no idea if they have reported it within 72 hours. It’s for the safety of others, not just you.

yes

It’s not a choice, the GP practice will have to tell them.

Also the op doesn’t know whether they printed off two copies of each. The other patient might have her summary care report.

Honestly… Have a good read/nose and then throw in the bin.

This happened to me when I was pregnant with DS. A few pages of another mum's maternity notes were filed in my folder (you know, the one you carry around to different appointments whilst pregnant).

I rang the midwives immediately, told them what had happened and they asked me to return the other lady's pages asap which I did. They apologised profusely and assured me nothing was missing from my notes.

Mistakes happen. People are human. It's not ideal but unless it was a regular occurrence, I wouldn't report it. I can't even remember the other lady's name now nor anything about her from her notes. I barely glanced at the content once I realised they weren't mine.

I would tell the surgery, give it back and also report it here ico.org.uk/for-organisations/report-a-breach/

I’ve had to report a breach when I became away that despite repeatedly telling them my son’s father had moved they continued to write to him and he didn’t get the letters. When they still didn’t update the address and my child’s child plan went to that address with hugely identifiable and personal info I hit the roof.

Complained formally and didn’t get acknowledgment or response within deadline so I escalated it wider within organisation- basically they hadn’t reported it as a breach. Once the governance team became aware stuff was done. Caldicott Guardian involved too.

Systems were changed to ensure it wasn’t repeated and that’s what I wanted. I explained it wasn’t about the person getting in trouble but reviewing the whole process from beginning to end. My son’s father hadn’t lived at that address for years. Right at the beginning it shouldn’t have been assumed he still did. It should have been put as an unverified address and not used until it was. He was 8 years out of date. And I had told them.

i think we should all report data breaches so they are learnt from. Otherwise staff remain over worked and expected to do more more more without thinking and this is how mistakes happen. They are learning opportunities.

That’s what I’d do.

And maybe email the practice manager, so they have a record it happened. In case there’s a pattern of it happening.

Meh humans make errors and systems made up of humans are flawed because humans make errors. It is just a delusion of superiority that means people don’t realise they are equally capable of being that flawed human in that flawed system on a bad day.

Drop the section into the GP or wherever it came from.

I would have reported it to the practice manager and handed it back. On a much larger scale, half a million health records from volunteers available for purchase in China.....
www.digitalhealth.net/2026/04/health-data-from-uk-biobank-listed-for-sale-on-chinese-website/

If the report was sent to you by your doctor's surgery the first thing I'd do is ring them and report the fact you've received someone else's record in with your own. It's a Data Protection breach, and you need to report it as that. Whether or not you've read it isn't the point, the fact is you have someone else's data.

ask them what their process is, what do they need you to do.

they will need to get the document back so they can advise the other person of the data breach within the required timeframe of within 72 hrs of the event.

ETA they shouldn't wriggle out of saying they'll just do some training, they must let the person whose data you received in error know about the breach. Imagine that was your data going to someone else by mistake. You'd want to know. They need to follow the correct procedure.