Southern Health NHS Trust pays settlement in data breach claim

Southern Health NHS Trust has admitted failing in its data protection obligations following an incident which involved a member of its staff accessing and sharing details of a patient’s confidential medical records without consent.

The breach took place in 2016 but was only discovered more than two years later following a Right of Access information request by Fordingbridge resident Robert Richardson.

Council files revealed that following his request for a more secure back door to be provided for his property following serious threats made against him, New Forest District Council had contacted the NHS to ask whether he was known to its mental health facility.

61-year-old operations administrator Robert Richardson said: “I asked the local council to replace my back door for added security for my family, but they were not forthcoming. I had concerns about what was happening internally at the Council in relation to my request. I proceeded to make a Right of Access request only to discover that they had contacted the NHS with the suspicion that I was suffering mental health issues.

“I was stunned and very upset to discover that this had taken place without my knowledge, or consent, and even more upset that the NHS had proceeded to access my private medical records to confirm to the Council that I had not been a mental health patient, again without my knowledge or consent.

“This followed a simple request to have the back door of my property replaced and at no point did the Council, or the NHS, ask permission to share my private information.”

Representing Mr Richardson, James Kelliher, litigation executive at data breach and cybersecurity specialist Hayes Connor Solicitors, commented: “The Trust admitted that a technical breach of the Data Protection Act had occurred. Our client discovered the breach purely by chance. It is concerning that private medical information was accessed and details shared without our client’s consent. Had he not made a Right of Access request the breach would have gone undetected.

“We pursued a successful data breach claim against Southern Health NHS Trust on behalf of Mr Richardson securing £1,500.

“GDPR came into force last year raising awareness of data privacy however, individuals’ private information has been protected by data protection laws for some time predating this, a fact that both the Council and NHS Trust should have been well aware of.”