How data breaches land you in trouble

Indemnity surrounding data and confidentiality breaches can be complex, but by taking steps to understand it and ensure appropriate protection is in place doctors can potentially avoid a costly claim. Dr Dawn McGuire looks at some cases and what to glean from them.

Claims arising from data or confidentiality breaches are not uncommon. A claim may arise, for example, after medical information or test results have been divulged to a patient’s relative or representative without the patient’s consent. 

They have also been reported following doctors or their secretaries:

 Accidentally sending medical information to the wrong recipient or address;

 Losing medical records in their care; 

 Accidentally leaving medical records in a public place.

These case examples demonstrate how data or confidentiality claims can come about:

Case study 1

Leaving medical records in a public place

Dr P, a private consultant psychiatrist, treated Mr B for anxiety and depression following a traumatic childhood assault. 

He took his printed paper records with him after a meeting one day and accidentally left the bundle of records on a public car park paying machine as he was fumbling for coins. He returned an hour later but the bundle had disappeared and was never found.

Dr P complied with his duty of candour and informed Mr B about the incident. Mr B pursued a claim against Dr P for data and confidentiality breach. Mr B alleged that someone somewhere had possession of sensitive information about him and his anxiety had deteriorated as a result of this fear of uncertainty. 

The public liability insurer (PLI) of the clinic where Dr P worked declined to assist with the claim because the incident did not take place on the clinic premises and Dr P was an independent contractor, not an employee. 

As the incident did not arise from clinical practice, the claim was also out of scope for assistance from Dr P’s medical defence organisation (MDO).

Dr P therefore sought independent legal advice and the claim was eventually settled at his own personal expense.

Case study 2

Not confirming who you are speaking to

Miss A, a consultant gynaecologist and director at a women’s clinic, treated Mrs F for dysuria and a recent test came back positive for chlamydia. Miss C, a receptionist at the clinic, was asked to contact Mrs F and arrange for her to attend for a consultation. 

Miss C called the landline number on record and spoke to a ‘Mrs F’ but did not confirm other personal details such as date of birth. 

Miss C was very sympathetic about the infection; she reassured ‘Mrs F’ that this was very common and that she was not judgemental at all. Unbeknown to her, she was speaking to the patient’s sister-in-law, who was also ‘Mrs F’. 

Mrs F, the patient, pursued the clinic for a data breach claim and psychological injury following the breakdown of her relationship. 

Miss A was familiar with data protection law and also knew that indemnity protection had to be obtained from a PLI or another appropriate insurer. As Miss C was an employee, the clinic’s PLI took over the conduct of this claim.

Key points

It is vital that doctors and their administrative team are familiar with data protection laws, confidentiality and information security, and are adequately trained. 

The Information Commissioner’s Office provides a useful guide to data protection for organisations and employees who have day-to-day responsibility for data protection.   

Claims or fines arising from data loss or breaches fall outside of healthcare indemnity and so are out of scope for MDO assistance. 

This is in line with NHS Resolution’s position where the Clinical Negligence Scheme for Trusts and the Clinical Negligence Scheme for General Practice also do not protect against issues arising from data breaches. NHS organ-­isations, however, can turn to NHSR’s Liabilities to Third Parties Scheme for data breach claims.

In a private healthcare setting, hospitals and clinics need to ensure adequate protection is in place for these claims. Directors and managers can explore protection options with a PLI or other appropriate insurer; for example, employers’ liability or directors’ liability insurances.

Private consultants who hold practising privileges in private hospitals, and are not employees, may not be protected for confidentiality or data breach claims and may find themselves personally liable for these claims. 

It is therefore imperative that doctors are familiar with these matters, take steps to protect themselves on a personal level and take care to ensurethat patient confidentiality is protected.  

Dr Dawn McGuire (right) is a medical claims adviser for Medical Protection