NHS Data Breach – When Could You Claim Compensation?

This guide shall examine what could be meant by an NHS data breach and how one could affect patients.

NHS data breach of information claims guide

NHS Data Breach – When Could You Claim Compensation?

The NHS handles personal data, including NHS medical information of patients they treat but also their staff. Under the UK General Data Protection Regulation UK GDPR and the Data Protection Act 2018,  data controllers and processors must keep any personal data they handle safe and secure. The NHS would be considered a data controller as they have control over the purpose and means of the data being processed. A data processor can be hired to process the data on behalf of the controller. The Information Commissioner’s Office was set up to uphold your data protection rights, and they can fine those who do not comply with the laws above.

To be eligible to make a data breach claim, the onus will be on you to prove how the data controller or processor failed to correctly protect your personal data. We discuss the criteria further in this guide.

To find out if you could be eligible to claim:

Select A Section

What Is An NHS Data Breach

A personal data breach compromises the data’s availability, integrity or confidentiality through a security incident. Personal data is information that identifies you, such as your name, date of birth or email address. Moreover, health data is considered a type of personal data but needs extra protection because of its sensitive nature.

Under the UK GDPR and the Data Protection Act 2018, organisations must protect personal data. Therefore it may be wise for organisations to…

  • Firstly keep paper documents and electronic devices locked up when not in use to prevent losing data records.
  • Secondly, employers should train their employees on data awareness and the principles of the UK GDPR to avoid data breaches caused by human error.
  • Moreover, cybercriminals may target healthcare providers because health data is sensitive. So healthcare organisations must have an up-to-date cyber security system to protect against cyber attacks.

If a data breach was to occur because an organisation failed to comply with data protection legislation, then if your personal data was affected and this has had consequences for you, you may be eligible to claim.

Examples Of Patient Information

The NHS handles lots of personal data of patients, so you may wonder if an NHS data breach occurred, what information could be involved? To answer this question, let’s first look at what personal data healthcare providers may have processed:

  • First names and surname
  • Home address
  • Email address
  • Date of birth
  • Mobile number or landline number
  • Logins and passwords to online accounts

What Is Sensitive Data?

The UK GDPR recognises that certain data concerning health is sensitive. So, health data is defined as special category data. Special category data is personal data with additional protections under the UK GDPR. So, data controllers or processors must meet special criteria before they process it.

If a data breach compromised your health data, you might have experienced emotional distress. Or you may have developed psychological injuries such as anxiety from a data breach. On the other hand, the breach may have worsened your condition if you had existing mental health problems.

Example Of An NHS Data Breach

The ICO issued Tavistock and Portman NHS Foundation Trust with a penalty notice following a  failure to protect personal data in accordance with data protection legislation.

On September 06th 2019, a gender identity clinic managed by the Trust sent out two mass emails to 1,781 patients. However, the sender failed to use the blind carbon copy field Bcc that hides the email addresses of other recipients therefore, all recipients could see the full list of patient email addresses. This means that patients’ email addresses had been breached.

The Information Commissioner’s Office issued the trust with a monetary penalty notice of £78,400.

What Should I Do If There Is An NHS Data Breach?

Organisations must report data breaches to the ICO within 72 hours if they affect your freedoms and rights. They must notify all data subjects that have been affected without undue delay.

However, if you believe you have discovered a data breach, you can contact the data controller and ask for an explanation. If you do not receive a satisfactory response, you can ask the organisation to clarify its position.

At this point, you can also ask the ICO to look into this for you. When choosing to contact the ICO, you must do this within three months of the last correspondents with the data controller.

The Infomation Commissioner’s Office is unlikely to investigate an older data breach, so please report your complaint within this time frame. You can contact a legal representative immediately if you wish to claim compensation for a data breach.

What Compensation Could I Get?

If your NHS data breach claim is successful, you could be awarded two types of data breach compensation:

  • Material damage to compensate the victim for any financial losses incurred.
  • Non-material damage compensates the victim for any psychological injuries or emotional distress triggered by the data breach. For example, you may experience stress due to a data breach.

We have included a table below with brackets amounts taken from the 16th edition Judicial College Guidelines JCG. This document is often used by solicitors and lawyers when calculating injuries and illness values. However, the compensation brackets are not guaranteed payments.

Reason For Claiming Compensation Notes On The Injury Payout
Mental Harm – Severe There are serious, marked problems faced across multiple parts of the person’s life. They have a poor diagnosis for making a recovery. £54,830 to £115,730
Mental Harm – Moderately Severe Whilst not impacted as severely, there are still serious long-term mental health problems. £19,070 to £54,830
Mental Harm – Moderate Serious problems could still be present though this person has already significantly recovered. £5,860 to £19,070
Mental Harm – Less Severe The payout will look at what symptoms were experienced and how long these lasted. £1,540 to £5,860
Anxiety Disorder – Severe The condition causes permanent and acute mental health problems for the person. £59,860 to £100,670
Anxiety Disorder – Moderately Severe Whilst similarly impacted, the diagnosis is better and with professional care some recovery could be made. £23,150 to £59,860
Anxiety Disorder – Moderate This person could (more or less) have recovered to a large degree. £8,180 to £23,150
Anxiety Disorder – Less Severe A near full recovery is made. £3,950 to £8,180

Material damage compensation amounts are not included in the table.

How Could Advice.co.uk Help You?

Why not call our team of advisors today? You can have your case looked at for free; when our advisers see that compensation may be awarded, they can offer to connect you with a No Win No Fee data breach solicitor from our panel.

Generally, if a No Win No Fee solicitor takes on your case, you both will sign an agreement. This is often a Conditional Fee Agreement in which you will agree to pay a success fee if you win your claim. Generally, there are no upfront fees and no fee for the solicitor’s service if the claim fails.

Please get in touch with us to make your enquiry:

  • Call our advice line on 0161 696 9685
  • Contact us to arrange a callback
  • Alternatively, use the Live Support widget below to ask an advisor a claims question


Thank you for reading our guide. The following resources might be helpful if your personal information was breached.

What Happens After An Accidental Data Breach By An Employer?

Can I Claim For A Breach Of Sickness Information At Work?

How To Claim If Your Files Were Lost In A Data Breach

Government information on identifying and avoiding phishing scams

An ICO guide explaining the lawful bases for personal processing data

An ICO guide on consent when processing personal data.

Thank you for reading this guide on examining what an NHS data breach could be. For more advice on data breach claims, please don’t hesitate to get in contact today