Skip to main content Make an enquiry

Leak of medical information

It can be highly distressing to find out that information relating to your health has been leaked.  This type of information is inherently private and confidential.  Most of us would not want it shared beyond our healthcare professionals and perhaps a few trusted loved ones. It is unlikely that your paper medical records will make their way into the public domain.  However, data leaks are often more straightforward.  For example, the simple dissemination of the fact that you suffer from a particular medical condition.

Over the years we have helped thousands of public figures, HNWIs and professionals enforce their privacy rights. Our highly-regarded media law department is unique because all our solicitors work exclusively in this field.  This means that our clients receive the best possible advice and representation.

There are wide-ranging scenarios where private or confidential medical information might make its way into the public domain or to third parties without the consent of the person concerned.  This can often happen as a result of negligence or a leak can sometimes be malicious, for instance where there is a breakdown in a personal or professional relationship and one person discloses private information, motivated by anger or seeking revenge. An example of this is the case of Cooper v Turrell [2011] EWHC 3269 which concerned the intentional posting on the internet of information relating to the health of the claimant by a former employee (which in this case happened to be inaccurate).

Any prospective claim is usually actioned under one or more of the following heads of claim:-

(a)  Misuse of private information;

(b)  Breach of confidence; and/or

(c)  Breach of the UK General Data Protection Regulation ('UK GDPR') and Data Protection Act 2018 (in historic cases the [EU] GDPR and Data Protection Act 1998 may apply).

Misuse of private information

This is now recognised as a distinct “tort” (civil legal wrong).  Liability is assessed on whether:-

(a)  The information was private – this will be based on whether the person to whom the information relates had a ‘reasonable expectation’ of privacy in relation to the information.  Consideration of a person’s right to respect for private and family life will determine whether there is such an expectation.  This will often be easy to determine when the material leaked concerns medical information.

(b)  Whether there has been an infringement of the person’s reasonable expectation of privacy.  This will be fact specific and, in many cases, it will be clear whether there was an infringement or not.  Where the disclosure is arguably in the public interest then it is likely that there will need to be a more rigorous assessment of the merits of the claim and this will include a balancing exercise with the right to freedom of expression.  A defendant may be able to defend an action if the information is already in the public domain.

The remedies available are an injunction to prohibit the dissemination and damages.  Damages are principally intended to compensate a claimant for the distress that the unauthorised disclosure has caused to the person concerned.

Breach of confidence

This is an equitable cause of action that was traditionally associated with the unauthorised leak of trade secrets.  The case of Coco v AN Clark Engineers Ltd [1969] RPC 41 sets out the three essential requirements that must be fulfilled to bring a claim under this cause of action:-

(a)  The information in respect of which relief is sought must have the necessary quality of confidence about it.  In other words, the information would not already be common knowledge or within the public domain;

(b)  The information must have been imparted in circumstances imparting an obligation of confidence.  The law in this area has developed to allow such an obligation to be inferred in a wide variety of situations (including personal confidences), where a contractual relationship does not exist. An obligation of confidence will, therefore, usually arise whenever a person receives information that he knows or ought to know is confidential.

(c)  There must be an unauthorised use/disclosure of that information.

If a claim for breach of confidence succeeds, the remedies which can be awarded include damages, an account of profits and/or an injunction.

Breach of the UK GDPR and Data Protection Act 2018

Generally, companies and persons who process personal data will be ‘data controllers’ under data protection legislation.  The legislation imparts certain obligations on these controllers and they will need to register with the Information Commissioner’s Office (ICO).  The obligations include implementing proper procedures for the protection of personal data and to process that data in accordance with the principles set out in the GDPR.  If there has been a leak of medical information then this will often mean that there has been a breach of the GDPR and Data Protection Act 2018 (medical information nearly always being personal data and, indeed, specialist category of sensitve data).  A claim can be defended on the basis that the defendant took such care as was reasonably required in the circumstances.  This will be fact-specific.

If a breach is continuing a Court can order that the data controller cease processing personal data in the manner complained of.  A data subject may claim compensation if they suffer ‘damage’ as a result of a failure to comply with the Act.  Unlike many other areas of law, it not necessary to prove financial loss and the Court can award compensation for distress alone.

A complaint can also be made to the ICO, which has the power to impose large fines (up to €20 million or 4% of turnover) on data controllers.

Truth, false privacy and libel

Unlike libel, in privacy claims the question of whether the information is true or false it is not normally relevant to the issue of liability.  The critical issue will generally be whether there has been an unjustified interference with your private life.  Where the information is false there may also be a concurrent claim for defamation if the publication of it is likely to cause others to think less of you or shun you (and you have suffered serious reputational harm).

Why should I instruct Brett Wilson LLP?

In short, to ensure that you have the best team fighting for you and to maximize your prospects of success.  Privacy law is novel and complex and it is generally ill-advised to instruct non-specialist lawyers. Our work and client care is of the highest standard.  All cases are run by a specialist privacy solicitor.  Every matter has partner involvement. We have extensive experience in bringing privayc claims. If there is a good settlement to be negotiated, we are confident we are well placed to achieve it.  If there is a case to be litigated, we are confident we can help you seek the best result.

We have long-standing working relationships with the best media law KCs and junior barristers, whom we can draft into the team to represent you in court if the need arises.

As well as being listed in the prestigious Legal 500Chambers and Partners and The Times Best Law Firms directories as a leading firm in the fields of defamation, privacy and reputation management law, partners Iain Wilson, Max Campbell and Tom Double are all individually recognised as leading individuals.  Iain Wilson and Max Campbell are additionally recommended by the Spear’s 500 HNWI directory for their reputation management work.  Iain Wilson is also recommended in the Tatler Address Book.  Most importantly, the firm receives excellent feedback from its clients and contemporaries.

Litigation can be stressful, time consuming and costly.  Therefore at the outset of your case we will conduct a cost benefit analysis with you. We will talk you through this process. We offer honest and pragmatic advice to our clients.  We will always consider alternative options, including asserting other causes of action (such as harassment and defamation), approaching intermediaries or PR work.

How do I instruct Brett Wilson LLP?

The first step is to attend a preliminary consultation.  At the consultation we will advise you on the merits of any claim, talk through the relevant practical and legal issues, and set out your options.  We will review relevant documentation ahead of the consultation.  The consultation will help you understand your position and allow you to make an informed decision about what action to take.

Consultations take place in our London offices or by video/telephone.  We can also travel to you.

To request a consultation please send us an emailcomplete our online enquiry form or call us on 020 7183 8950.  If emailing or using the online form, please provide a short outline of your situation.

Details of the cost of a consultation will be provided following your enquiry.


We regret that we are unable to review your case or provide advice prior to a consultation or without being formally instructed.  

We do not offer alternative funding arrangements.  


Note: accidental data leaks where relatively anodyne/trivial information is disclosed to a small number of individuals are unlikely to attract significant awards of compensation, unless it can be evidenced that serious loss was suffered as a direct cause of the leak (and that such loss was reasonably foreseeable).  These claims should usually be litigated on the small claims track of the county court, where legal costs are not normally recoverable.  In such cases it may not be cost-effective to instruct solicitors to act on your behalf.  


Contact us to request a consultation

Call 020 7183 8950
or send us a message.

Notable reported cases