The Leak of Medical Information
It can be highly distressing to find out that information relating to your health has been leaked. This type of information is inherently private and confidential. Most of us would not want it shared beyond our healthcare professionals and perhaps a few trusted loved ones.
It is unlikely that your paper medical records will make their way into the public domain. However, data leaks are often more straightforward. For example, the simple dissemination of the fact that you suffer from a particular medical condition.
There are wide-ranging scenarios where private or confidential medical information might make its way into the public domain or to third parties without the consent of the person concerned. This can often happen as a result of negligence or a leak can sometimes be malicious, for instance where there is a breakdown in a personal or professional relationship and one person discloses private information, motivated by anger or seeking revenge. An example of this is the case of Cooper v Turrell  EWHC 3269 which concerned the intentional posting on the internet of information relating to the health of the claimant by a former employee (which in this case happened to be inaccurate).
Any prospective claim is usually actioned under one or more of the following heads of claim:-
(a) Misuse of Private Information;
(b) Breach of Confidence; and/or
(c) Breach of the General Data Protection Regulation and Data Protection Act 2018 (in historic cases the Data Protection Act 1998 may apply).
Misuse of Private Information
This is now recognised as a distinct legal “tort”. Liability is assessed on whether:-
(a) The information was private – this will be based on whether the person to whom the information relates had a ‘reasonable expectation’ of privacy in relation to the information. Consideration of a person’s ECHR Article 8 right to respect for private and family life will determine whether there is such an expectation. This will often be easy to determine when the material leaked concerns medical information.
(b) Whether there has been an infringement of the person’s reasonable expectation of privacy. This will be fact specific and, in many cases, it will be clear whether there was an infringement or not. Where the disclosure is arguably in the public interest then it is likely that there will need to be a more rigorous assessment of the merits of the claim and this will include a balancing exercise with the ECHR Article 10 right to freedom of expression. A defendant may be able to defend an action if the information is already in the public domain.
The remedies available are an injunction to prohibit the dissemination and damages. Damages are principally intended to compensate a claimant for the distress that the unauthorised disclosure has caused to the person concerned.
Breach of Confidence
This is an equitable cause of action that was traditionally associated with the unauthorised leak of trade secrets. The case of Coco v AN Clark Engineers Ltd  RPC 41 sets out the three essential requirements that must be fulfilled to bring a claim under this cause of action:-
(a) The information in respect of which relief is sought must have the necessary quality of confidence about it. In other words, the information would not already be common knowledge or within the public domain;
(b) The information must have been imparted in circumstances imparting an obligation of confidence. The law in this area has developed to allow such an obligation to be inferred in a wide variety of situations (including personal confidences), where a contractual relationship does not exist. An obligation of confidence will, therefore, usually arise whenever a person receives information that he knows or ought to know is confidential.
(c) There must be an unauthorised use/disclosure of that information.
If a claim for breach of confidence succeeds, the remedies which can be awarded include damages, an account of profits and/or an injunction.
Breach of the GDPR and Data Protection Act 2018
Generally, companies and persons who process personal data will be ‘data controllers’ under data protection legislation. The legislation imparts certain obligations on these controllers and they will need to register with the Information Commissioner’s Office (ICO). The obligations include implementing proper procedures for the protection of personal data and to process that data in accordance with the principles set out in the GDPR. If there has been a leak of medical information then this will often mean that there has been a breach of the GDPR and Data Protection Act 2018 (medical information nearly always being personal data and, indeed, specialist category of sensitve data). A claim can be defended on the basis that the defendant took such care as was reasonably required in the circumstances. This will be fact-specific.
If a breach is continuing a Court can order that the data controller cease processing personal data in the manner complained of. A data subject may claim compensation if they suffer ‘damage’ as a result of a failure to comply with the Act. Unlike many other areas of law, it not necessary to prove financial loss and the Court can award compensation for distress alone.
A complaint can also be made to the ICO, which has the power to impose large fines (up to €20 million or 4% of turnover) on data controllers.
Truth, False Privacy and Libel
Unlike libel, in privacy claims the question of whether the information is true or false it is not normally relevant to the issue of liability. The critical issue will generally be whether there has been an unjustified interference with your ECHR Article 8 rights. Where the information is false there may also be a concurrent claim for libel if the publication of it is likely to cause others to think less of you or shun you (and you have suffered serious reputational harm).
How can our medical privacy solicitors help?
Where medical information has been leaked the priority is containment. In some circumstances it may be necessary to seek injunctive relief from the court to prevent further dissemination.
Where dissemination has already occurred we can pursue claims for damages.
We have extensive experience in bringing actions against companies, individual and state organisations including NHS Trusts and local authorities.
If you believe that your confidential or private medical information has been leaked or misused without your consent then simply send us an email, complete our online enquiry form or call us on 020 3813 5135 to find out how we can help you.