What would you do if you got a copy of someone else’s confidential GP records

[Twinkletoesandspaghettios]

No poll just wondering exactly what you would do?

The summary care report was in with mine and had name, address, DOB, full medical history including details on social services and CAMHS involvement

That is just appalling!

No, I know it wasnt dealt with and nothing was done.

ICO also never wrote to me about the outcome despite the fact they are meant to do so and promise they will.

I just find it laughable that people think there will be consequences. There arent.

England - report to PALS if it was a hospital. Complain to GP if it was GP practice.

It still needs to be reported.

I defy anyone to not not read at least part of it!
It’s human nature unless you’re a saint!

Yes, it was. Thats why I am so angry- I reported it directly to ICO and they did nothing. Thats the entire point - they are doing nothing

I’d report the breach to the GP Practice and expect them to report themselves.

Sounds like you did the right thing, Twinkle. It was just human error and no harm done.

What?

Sued by whom?

This. The DPO in the practice will have a procedure to follow, including notifying the person whose data it is, if deemed sensitive, and the ICO.

Yes this would be a mandatory self reporting incident, it is a serious data breach.

A few years ago I requested a copy of my full medical records for my solicitor. My solicitor received a fully comprehensive set of notes, going back to birth, for another patient in the practice with a similar name. He was horrified. He returned the file to them and formally instructed them to self report. Medical information is highly sensitive, the consequences of it being shared with unauthorised people can be devastating.

Yes, same here. The person would be contacted to inform them.

Exactly this. No drama. All organisations dealing with personal data will have a process in place to deal with any kind of breach. It might just be recording it and if a pattern becomes apparent, training or process change may be the result.

Asking the recipient to destroy or return the data will be part of the process and not some kind of cover up like so many seem to think 🙄

What work flow process would eliminate this?

Have you never opened an envelope that's come to your house without properly checking? I once opened an Amazon parcel - I was expecting one, and it wasn't until I could see it was things I absolutely hadn't ordered thst I checked the actual address, and it had been misdelivered, e.g. to 28 rather than 38 - so I just took it round and apologised. (Mine arrived the next day.)

I've also opened envelopes in error from time to time. It's particularly likely to happen with things like NHS letters, when I'm expecting one, and I just see the logo on the top. (To be fair, I don't think I've ever had an NHS letter thst wasn't for me.)

I've lived here the best part of 2 decades, on my own. Any post should be for me, so I don't always read carefully, if I'm busy or about to go out.

You're missing the point. You aren't a data controller who is supposed to abide by GDPR. The NHS is.

Also idiots whining to the ICO because their employer or whoever is 2 days late responding to a DSAR wastes their resources

Only read op’s posts, but I think you’ve done the right thing. Although a breach in confidentiality. It was probably an honest mistake. Surgeries have procedures called ‘Significant events’, where mistakes, procedural situations etc are logged, and then reviewed and improvements put in place. This, hopefully, will be logged as one, and lessons learnt from it.

ICO fines

Public Sector Approach: While the ICO generally prefers reprimands for public bodies, severe breaches resulted in heavy fines in 2024, including the Police Service of Northern Ireland (£750,000) and the Ministry of Defence (£350,000).

Capita plc and Capita Pension Solutions Ltd (£14M+): Two separate, major penalties following cyber-attacks, highlighting the risk of failing to secure personal data.

Advanced Computer Software Group Ltd (£3.1M): First fine against a processor for failing to implement appropriate security measures (MFA, vulnerability scans) after a ransomware incident.

23andMe Inc (£2.31M): Penalty in June 2025 for failing to protect the personal data of 155,592 UK users against a credential-stuffing cyber-attack.

Recent major penalties include a £3.1 million fine for Advanced Computer Software Group Ltd (2025) for security failings and a £2.31 million fine for a genetics company (2025) following a cyber-attackZMLUK Limited (£105,000): Fined in 2026 for sending over 67 million marketing emails without proper consent (PECR breach).

Solicitors, my sector, have been fined too. There's plenty more examples if you search.

Report the data breach.

They have fined very few organisations a lot of money (their fines have gone up but they are fining less and less) but actual action has declined whilst complaints have gone up. Many of their so called actions have been overturned. They are not fit for purpose:

https://legallens.org.uk/icos-collapse-shows-its-no-longer-fit-for-purpose/

https://www.openrightsgroup.org/press-releases/70-organisations-and-experts-demand-action-over-failing-ico/

But this has nothing to do with one piece of mis mailed paper.

The MOD were fined £350,000 in December 2023 for a severe data breach that exposed the personal information of 265 Afghan nationals eligible for relocation, putting their lives at risk.

Attackers gained access to Capita’s systems and extracted almost one terabyte of data (more than 6.6 million records)

Slightly more serious

A lot of people here saying it’s compulsory to report data breaches at their workplaces, I wonder if there’s some confusion about internal reporting to meet organisational GDPR requirements vs external reporting for regulatory oversight.

It should always be compulsory to report a data breach internally for appropriate investigation and follow up, however a single breach of a patient record where the data is returned and secured may not meet the threshold for reporting to the ICO on its own, unless there are other circumstances involved (eg the information was disclosed to someone known to the patient, or the health information is more sensitive - there’s a difference between a report on a broken leg vs information about an abortion).

Of course every data breach must be treated seriously, but treating it seriously doesn’t necessarily require external reporting to the regulator. The ICO has an assessment tool and framework to identify what is reportable and what isn’t.

Indeed. But these are all quite a different scale from the situation op is describing

The ICO guidance is that you should not always inform the person though. You should weigh up all the facts and balance the harms

We would always tell someone if they needed to take steps to protect themselves but in a situation like this we wouldn't inform them