Data breaches are a common cause of claims but the indemnity issues surrounding them can be complex. Dr Dawn McGuire, Medicolegal Consultant at Medical Protection, looks at a case and explains more.
Case study: accessing a friend’s records
Mr T worked as an administrator in a GP practice. He heard that an old friend, Mr B, had been looking a shadow of himself and that his wife had left him. Mr T knew that Mr B was registered with his practice. When he was on late shift one day, Mr T looked into Mr B’s medical records and discovered that Mr B was recently tested for HIV and the result came back positive. Mr T could not contain his shock and revealed this to a mutual friend when they met later the same day.
Two weeks later, Mr T was called into the practice manager’s office. Mr B had made a formal complaint to the practice as he suspected that someone from the practice had accessed his records and publicised his HIV status. An audit trail had revealed that Mr T had accessed Mr B’s record without any valid reason. Mr T underwent disciplinary action and was dismissed. The practice manager wrote a very apologetic and empathic letter to Mr B.
Another month later, the practice received a letter of claim requesting £50,000 compensation for Mr B’s psychological trauma. Mr B claimed that his family and friends had deserted him, and he was now a recluse and terminally depressed. The senior partner of the practice contacted Medical Protection to request assistance. She was advised to notify their public liability insurer (PLI) instead. Their PLI took over the conduct of this claim.
How data breach claims are handled
Claims arising from data or confidentiality breaches are not uncommon. As a healthcare professional, you may be pursued for these alleged breaches, whether within or outside healthcare provision, and from your personal conduct or that of others, usually employees.
Some case scenarios of claims reported to Medical Protection:
- Divulging medical information or test results to a patient’s relative or ‘representative’ without the patient’s consent
- Employees accessing the patients’ medical records without valid reasons
- Sending medical information to the wrong recipient or address
- Leaving medical records in a public place
- Loss of medical records in your care
Claims or monetary penalties arising from data loss or data breaches fall outside healthcare indemnity and is therefore out of scope of Medical Protection assistance. This is in line with NHS Resolution’s position where the Clinical Negligence Scheme for General Practice (CNSGP) does not cover activities arising from breaches of data protection regulations.
It is therefore crucial for healthcare organisations like GP practices, private clinics and private hospitals to ensure adequate cover is in place for these claims, usually through their public liability insurer.
Learning points
- Be familiar with data protection laws and confidentiality
- Ensure that your staff members are adequately trained
- Explore adequate indemnity cover with your public liability insurer or other appropriate insurers, for example employers’ liability or directors’ liability insurances
References
Medical Protection, Understanding your Membership
NHS Resolution, Clinical Negligence Scheme for General Practice (CNSGP)
ICO, Guide to Data Protection