NOTE: By submitting this form and registering with us, you are providing us with permission to store your personal data and the record of your registration. In addition, registration with the Medical Independent includes granting consent for the delivery of that additional professional content and targeted ads, and the cookies required to deliver same. View our Privacy Policy and Cookie Notice for further details.

Don't have an account? Subscribe



Data breaches and indemnity

By Dr Dawn McGuire & Dr Ian Lavelle - 23rd Aug 2022

data breaches

Indemnity issues surrounding data breaches can be complex and it is important that practices are aware of the requirements. Dr Dawn McGuire and Dr Ian Lavelle, Medico-Legal Consultants at Medical Protection, look at some cases and explain more.

Claims arising from data or confidentiality breaches are not uncommon. The practice may be pursued for these alleged breaches, whether within or outside healthcare provision. 

For example, Medical Protection has received claims after medical information or test results have been divulged to a patient’s relative or representative without the patient’s consent. 

Claims have also been reported to us following a practice employee accidentally sending medical information to the wrong recipient or address, losing medical records in their care, and leaving medical records in a public place. 

Another case centred around a member of the practice team accessing a patient’s medical records without valid reason. 

Key points 

It is vital that the whole practice team is familiar with data protection laws, confidentiality and information security, and are adequately trained. The Data Protection Commission provides a useful guide to data protection for organisations and employees who have day-to-day responsibility for data protection ( 

Claims or monetary penalties arising from data loss or data breaches fall outside of healthcare indemnity and is therefore outside the scope for Medical Protection assistance. 

Healthcare organisations like GP practices need to ensure adequate protection is in place for these claims. The practice manager can explore adequate indemnity protection with a public liability insurer or other appropriate insurers, for example employers’ liability or directors’ liability insurances. 

The practice may be pursued for these alleged breaches, whether within or outside healthcare provision 

Case study 1: Accessing a friend’s records 

Mr T worked as an administrator in a GP practice. He heard that an old friend, Mr B, was a shadow of himself, and that his wife had left him. Mr T knew that Mr B was registered with his practice. When he was working on a late shift one day, Mr T looked into Mr B’s medical records and discovered that Mr B was recently tested for HIV and the result had come back positive. Mr T could not contain his shock and revealed this to a mutual friend when they met later the same day. 

Two weeks later, the practice manager asked to speak to Mr T privately. Mr B had made a formal complaint to the practice as he suspected that someone from the practice had accessed his records and publicised his HIV status. An audit trail had revealed that Mr T had accessed Mr B’s record without any valid reason. Mr T underwent disciplinary action and was dismissed from the practice. The practice manager wrote a very apologetic and empathic letter to Mr B. 

Another month later, the practice received a letter of claim requesting compensation for Mr B’s psychological trauma. Mr B claimed that his family and friends had deserted him, and he was now a recluse and terminally depressed. The senior partner of the practice contacted Medical Protection to request assistance. She was advised to notify their public liability insurer (PLI) instead. 

The practice manager was familiar with data protection law and also knew that adequate indemnity protection had to be obtained from a PLI or other appropriate insurers. The practice’s PLI took over the conduct of this claim. 

Case study 2: Confirming who you are speaking to 

Ms C, a receptionist, was asked to contact Ms F to inform her that her blood iron level was low and that an iron supplement prescription was ready for collection. Ms F had a miscarriage recently and had been feeling lethargic, so the blood test was recommended. 

Ms C called the landline number on record and spoke to a ‘Ms F’ but did not confirm other personal details, ie, date of birth. Ms C was very sympathetic about the miscarriage, wished Ms F a speedy recovery and relayed the blood test result and prescription information. Unbeknown to her, she was speaking to the patient’s sister, who was also ‘Ms F’. 

Ms F pursued the practice for a data breach claim and alleged psychological injury. She had kept the pregnancy and miscarriage from her family due to personal reasons and the unintended revelation had led to a family rift and loss of trust. 

The practice manager contacted their PLI and the claim was eventually satisfactorily settled.

Leave a Reply






Latest Issue
The Medical Independent 14th May 2024

You need to be logged in to access this content. Please login or sign up using the links below.


Most Read