One Year on From the Greater Manchester NHS Data Breach: What We Know

Aman Johal, Lawyer and Director of Your Lawyers, looks at the fallout of the breach and the lessons it has to teach.

In September 2019, it was revealed that more than 2,000 patients had been the victim of data breaches at an NHS Trust. The Wrightington, Wigan, and Leigh NHS Foundation Trust informed those involved that their personal information was accessed – in some cases, on multiple occasions – by employees without reason or authority to do so.

Whilst it is not uncommon for isolated events like this to occur, it was alarming to learn of what essentially looks like a “mass snooping” event taking place over a lengthy period of time that involved multiple employees at a single NHS Trust. This invasion of privacy of personal and sensitive information – which included blood test results, medication details, and discharge letters – took place over 18 months before senior figures at the Trust became aware of an issue following a patient complaint.

These data breaches affected a huge number of people who now have the legal right to claim compensation. One year on, what are the lessons from the Trust’s failings?

How the breaches happened

Estimated to have commenced in January 2018, the data breaches involved employees who had legitimate access to patient records exploiting the system and snooping on the records of patients without reason or authority to do so.

After the breaches came to light, the Trust was quick to say that many affected only had their patient records accessed once. However, this is precisely the kind of data that most people want to remain confidential, and the fact that some had their personal and sensitive healthcare information viewed on multiple occasions is further alarming.

Regardless of how many times a perpetrator accessed information, it seems clear that a lax approach to data protection created the perfect environment for privacy breaches to easily occur.

In their letters to the victims, the Trust admitted that “poor computer etiquette” had been identified after they had discovered the breaches. While the Trust didn’t specify what ‘poor computer etiquette’ entailed, it may include a laissez-faire approach to data protection that too many organisations have been guilty of in recent years.

The rights of those affected by the Greater Manchester data breaches

It was not confirmed by the Trust why members of their team had been accessing medical records for individuals without reason or authority, nor has the Trust been able to properly identify the employees committing the breaches. We can only estimate that we could be looking at several NHS employees accessing personal records in a way that is in breach of important data protection legislation. More often than not, in cases of healthcare data misuse, the perpetrators know the victims that they snoop on.

Those impacted by the breach are entitled to claim compensation. As with the 56 Dean Street breach – where 780 patients had their HIV status leaked– and the Charing Cross Gender Identity Clinic data leak – where names and email addresses of patients were exposed – some victims of the Greater Manchester NHS data breaches could be eligible to receive up to £30,000 in compensation. Amounts will be based on the impact of any distress caused by the loss of control of personal information, which could be substantial in some cases.

More often than not, in cases of healthcare data misuse, the perpetrators know the victims that they snoop on.

The misuse of such sensitive and highly personal medical data can be extremely harmful to people, and those impacted by the Greater Manchester NHS data breaches can claim compensation.

What are the lessons from the Greater Manchester NHS data breach?

The Greater Manchester NHS data breach was not a one-off, and there have been several high-profile breaches in its wake. This breach, and the Charing Cross Gender Identity Clinic leak revealed around the same time, demonstrated that lessons are not being learnt, regardless of the threat of large fines following the introduction of General Data Protection Regulation (GDPR).

Organisations in the healthcare sector are entrusted with private and sensitive information, and the duty to protect it is incredibly important. No organisation should ever view data protection as an afterthought and everyone must recognise the responsibilities that they have.

Part of this recognition involves a change from reaction to prevention; moving away from reacting to data breaches after the fact and taking active steps to stop them from occurring in the first place. This includes even basic things such as the enforcement of strong passwords, access restrictions and auditing the access of information, as well as proper cybersecurity measures such as encrypting stored data, implementing antivirus software and making use of firewall protection. If organisations don’t put these measures in place then, in accordance with the GDPR, they could be facing substantial fines and the costs of compensation action for an error that is easy to resolve if the mentality is right.