Home / News & Resources / News & Updates / Sensitive patient information exposed in NHS trust data breach

Sensitive patient information exposed in NHS trust data breach

  • Posted on

Multiple NHS trusts in England have been found to have been collecting and sharing patient information with Facebook without consent.

An investigation by the Observer has discovered a covert tracking tool contained within the websites of 20 NHS trusts. Over the course of many years, this has been collecting users’ browsing information before sharing it with Facebook.

Meta Pixel, the tool used to extract data, can be matched to a user’s IP address, or their Facebook account. The information sent to Facebook by the responsible NHS trusts includes data which could reveal sensitive medical details when linked to an individual.

Collectively, the 20 NHS trusts who have used the tracking tool serve a population of more than 22 million people in England.

The data collected related to patients who visited NHS webpages for a wide range of reasons. This includes advice regarding HIV, self-harm, gender identity, sexual health and children’s treatment. This type of information is likely to include ‘special category’ health data which has an extra layer of protection in law and is considered to be extremely sensitive.

It is not possible to determine exactly how Facebook has used this data once it reached its servers. Facebook claims to prohibit any organisations from sending sensitive health information with filters in place to prevent this from happening – though there is no way to guarantee how effective these filters are.

The Information Commissioner’s Office (ICO) have said that they have noted the findings of the investigation and will be considering the matter. An ICO spokesperson stated: “People have the right to expect that organisations will handle their information securely and that it will only be used for the purpose they are told.”

NHS England have stated that individual trusts are responsible for adhering to data protection laws, with a spokesperson saying: “The NHS is looking into this issue and will take further action if necessary.”

If an NHS trust has shared your data without your consent, you may be able to make a claim for compensation. This is something our data breach experts at Hayes Connor will be able to support you with.

Our specialist data breach solicitors are ready to advise anyone who has been affected by the NHS trust data breach. When instructed, we will be able to provide tailored guidance on whether you will be in a position to make a claim, as well as the process for making a claim. To find out more about making a claim and how you can get started, please get in touch.

What to do if you are concerned about the NHS trust data breach

If your data has been shared by an NHS trust without your consent, the responsible trust should issue a statement confirming that this is the case. However, as of yet, not all trusts have issued an apology, which means that there is a chance you may not have been contacted if your data has been mishandled.

Where you have not been directly informed that your data has been shared without your consent, you should get in touch with the relevant NHS trust as soon as possible.

As it is not clear how your information may have been used after being shared with Facebook, it is important that you are wary of any unexpected communications, particularly where they appear to be from an NHS representative. These could be ‘phishing’ attacks which are designed to extract further personal information from you.

There are several steps that you can take to reduce the potential of cybercriminals using your personal data against you. To learn more about this, read our helpful guide on what to do if your data has been stolen in a data breach.

If you have been affected by an NHS trust data breach, you could be entitled to compensation. This is where our data breach experts at Hayes Connor will be able to step in to support you.

How Hayes Connor can help you claim compensation for the NHS data breach

Anyone who handles special category data, such as sensitive medical records, is legally obligated to keep it secure. This means that they will not be able to share said data without your explicit consent. Where an organisation fails to uphold this obligation, as the NHS trusts potentially appear to have done in this instance, anyone affected could make a claim.

At Hayes Connor, we have one of the largest teams of dedicated data breach specialists in the country. Our team have a wealth of combined expertise and experience which we use when handling a wide range of data breach claims.

Our team will work alongside you to gain a detailed understanding of your situation, and the impact of the breach. From here, we can then assess whether you will be in a position to make a claim, and how the process will work moving forwards.

We understand how stressful it can be to discover that you are the innocent victim of a data breach, particularly where it involves your sensitive medical details. As such, we will provide close personal support during this time, and we will make the entire process as straightforward and stress-free as possible.

You can find out more about our expertise and how we handle data breach claims here.

To start a claim, you can use our online claim form.

To speak to a member of our team about the NHS trust data breach, please do not hesitate to give us a call on 0330 041 5131.