, , ,

Woman threatened after her gym shared her home address with another customer

Data breaches are never out of the news. But while most of us worry about getting our identity or money stolen after a hack, we don’t tend to consider the possibility of physical threats. But, in a recent case, our solicitors saw the impact of what can happen when a woman’s address was handed to an angry customer by mistake.

What happened in this case?

In this data breach, a gym provided a woman’s personal details (our client) to another customer who shared her name.

This other person had received emails from the gym intended for our client. The emails were sent chasing missed payments. Confused as to why she was receiving the emails, the other woman became concerned that she had become the victim of identity theft. And, when she questioned the outstanding payments with the gym, a member of staff supplied her with our client’s home address.

Following this, the woman’s father went to our client’s home and banged on her door, accusing her of attempting to “clone” his daughter’s identity. Our client was at home with her two young children, one of who is disabled, and she found this experience both frightening and upsetting.  She then contacted the gym to find out what was going on and received an apology for the mix-up.

However, the other woman’s father still did not understand that our client was not at fault. And, when our client returned from holiday, she received three letters from him, all of which contained threats. As a result, she reported the incident to the Police and Action Fraud.

It seems despite becoming aware of the situation, the gym continued to send emails to the wrong woman demanding payment. These emails also disclosed some of our client’s bank card number.

As a direct response of poor systems, and a failure to cross-reference their systems to identify distinguishing features between both customers, this data breach has caused our client considerable distress, upset and even fear. As such the consequences of the error were particularly upsetting.

Have you been in a similar situation? Contact us today.

What can you do to stop this from happening to you?

There are a few lessons that can be learned from this case. For example, when handing over your email address to an organisation, it is vital that you check that these details have been taken down correctly.

You are completely within your rights to ask for a copy of the data a business (or any other organisation) holds about you. This is called making a subject access request (SAR). Find out more about making a SAR.

Of course, this won’t guarantee that an error doesn’t result in an email going to the wrong address, but it is still a good safety precaution to take.

What’s more, if you do find yourself in a similar situation to our client, like her you should report the incident to the Police and Action Fraud. Action Fraud is the UK’s national reporting centre for fraud and cybercrime in England, Wales and Northern Ireland.

Find out more about Action Fraud here.

Alternatively, if you are an employee of a gym or any other business and you want to make sure that you don’t make a similar mistake, talk to your employer about any processes that can be put in place to make sure that the information you hold on your customers is correct. Such steps could include things like additional data protection training, and checks and balances on systems generating correspondence.

For more advice on how to keep your data safe, follow Hayes Connor on Twitter or give us a like on Facebook. Alternatively, if you have been the victim of a data breach or cyber fraud, find out how we can help you recover any losses or give us a call on 0151 363 5895 to discuss your case in more depth.

cyber hack
, ,

York council app hacked. What to do if you have been affected

According to reports, almost 6,000 people could have had their data breached after a City of York Council app was hacked.

In a letter sent to those potentially affected by the latest data breach, the council states that it has been contacted by a hacker who claims that they have found a way to access the personal data of residents using the One Planet York app. The app allows users to check their bin collection dates, and other information regarding recycling.

The compromised data includes phone numbers, encrypted passwords and addresses. It is not yet clear what the hackers have done with, or plan to do with the data. However, it has been suggested that the hackers could be someone who looks for data vulnerabilities in the public interest. This is because those responsible have not yet requested anything in return for the personal data.

The letter from the City of York Council says: “We value your privacy and deeply regret this incident occurred. We have conducted a thorough review of the One Planet York app, we have deleted all links with the app and as a result, will no longer support it going forward.

“We have deleted it from our website and asked for it to be removed from the app stores and ask that you now delete it from your device.

“We cannot say for certain what the third party responsible has done with the data.”

The incident has been reported to North Yorkshire Police.

App users have been advised to delete the app and change their passwords. However, at Hayes Connor Solicitors, we have considerable experience helping individuals whose data has been breached and would also recommend some additional steps to keep users safe.

This includes contacting your bank and credit card providers immediately if you suspect your financial data may be compromised and looking out for fraudsters who attempt to gather more personal information (phishing).

Furthermore, we would always recommend that you inform the Information Commissioner’s Office (ICO) about your concerns. The ICO is the body which undertakes investigations on behalf of individuals into suspected data breaches. You should also report any suspected phishing attempts to the police and relevant authorities. Also, if you need support following the data breach, Victim Support is on hand to help you.

Find out more about our partnership with Victim Support.

The public sector is privy to a wide range of our sensitive information and this data is regularly shared between organisations as part of modern governance and the delivery of public services. And, if you have suffered damage or distress caused by an organisation breaching any part of the Data Protection Act, you have a right to claim compensation.

But, at Hayes Connor, we don’t just focus on compensation. In today’s digital world, your personal data is a valuable commodity. So, we want to do all we can to keep you, and your sensitive information as safe as possible.


, ,

Five cybersecurity trends to watch in 2019

Scrutinising the cybersecurity landscape, here are some of the key trends you can expect in 2019.

  1. Cybersecurity is now a threat to every organisation

Cybersecurity has been brought into the mainstream. Modern criminals are no longer content with targeting banks and other financial institutions. Instead, they are affecting all kinds of organisations from hospitals to law firms, local authorities to businesses.

Common threats include ransomware, phishing and malware.

You can check out the latest data security incidents by sector on the ICO’s website.

  1. Hefty fines are coming

Since the introduction of the GDPR, the ICO has taken a proactive stance when it comes to commenting on large-scale breaches. But, as yet it is still focused on supporting organisations to take appropriate action in the immediate aftermath of any privacy violation. And helping to prevent breaches from happening in the first place.

So, we haven’t yet seen the enormous fines promised for those that don’t look after our data properly. But you can be sure they are coming. And, according to data protection lawyers, the Ticketmaster data breach could be a real test to see if the legislation will hold companies to account.

  1. Methods of attack are becoming increasingly more sophisticated

While the majority of attackers are still going after easy “low-hanging fruit” there are signs that cybercriminals are becoming increasingly sophisticated.

For example, last year two friends were jailed after breaching the TalkTalk website in 2015 as part of a group of hackers. During the raid, the pair managed to get away with the names, addresses and dates of birth of 1.6 million customers, before sharing much of the data online. And while TalkTalk was fined £400,000 by the Information Commissioner’s Office (ICO) for not appropriately securing the data, the “significant, sophisticated systematic hack” is thought to be one of the biggest data breaches in history.

AI-assisted imposters are also set to become an increased threat. With machine-learning helping to make existing cyber-attack efforts like identity theft, denial-of-service attacks and password cracking faster, more formidable, and more effective.

Furthermore, as we move deeper and deeper into the Internet of Things (IoT), more and more devices and data are going to be connected to the internet. Keeping these safe from hackers is going to be an ongoing challenge.

  1. The law is still evolving when it comes to data protection

 In 2019, it is much easier to bring compensation claims for distress, rather than as an add-on to a financial loss claim. What’s more, the courts are looking at a wider-range of factors when deciding on appropriate compensation.

There is also more emphasis on the relationship between privacy rights and data protection from a legal perspective. This is good news for individuals as it means they can start a claim based on more than one ground (i.e. for the misuse of private information and for breach of data protection obligations).

  1. Cybersecurity is now political

We’ve all read about how Facebook was allegedly used to corrupt our democratic process following the Cambridge Analytica scandal. With questions raised over whether our data was used to influence the outcome of the Brexit referendum.

What’s more, a recent parliamentary committee warned that our critical national infrastructure is at risk from cyber attackers. And, The National Cyber Security Centre (NCSC) cautioned that hostile states are likely to target British infrastructure.

For example, experts are predicting that smart energy meters could leave householders vulnerable to cyber-attacks and higher bills. Perhaps even more concerning, in March 2018 the National Grid was put on alert amid fears of a Russian cyber-attack, and given advice on how to boost its defences to prevent power cuts and avoid a catastrophic attack.

Awareness is crucial

At Hayes Connor, we believe that raising awareness of the growing cybersecurity threat will help organisations across the UK improve their data protection processes. But it’s also vital that we all do our bit to protect ourselves as individuals.

For more advice on how to keep your data safe, follow us on Twitter and Facebook. Alternatively, if you have been the victim of a data breach or cyber fraud, find out how we can help you to recover any losses or give us a call on 0151 363 5895 to discuss your case in more depth.



, , ,

Are hospitals doing enough to protect patient confidentiality?

One in 13 patients will have their records stolen after a healthcare provider data breach[1]. However, despite the headlines, fraudsters don’t just use the internet to get their hands on our sensitive information. So, while hospitals are looking at what they can do to protect our online data, they must also look at improving security measures to prevent unauthorised physical access to sensitive medical records.

In an unusual case, our solicitors saw just how one fraudster was able to get his hands on sensitive medical information by impersonating a member of the hospital’s medical team.

What happened in this case?

In this data breach, a woman (our client), was a patient in hospital having just given birth. However, while she was there a fraudster impersonated a doctor to obtain information about her personal medical situation.

A student nurse provided the highly sensitive information to the imposter, which included details about a disease which our client had recently been diagnosed with, and with which she was struggling to come to terms with.

To date, nothing untoward has happened to our client following this incident, and there has been no contact from the person who obtained her medical records. But as she still does not know who accessed her data, and what might be done with, this situation is incredibly disturbing, and understandably this uncertainty has caused the woman considerable distress.

Lessons learned

Hospitals and other healthcare organisations need to do more to protect sensitive patient data.

All too often employees are involved in healthcare data breaches, and as such, employee training and awareness must form a core part of any security strategy and measures.

In this case, the hospital in question subsequently investigated the incident and agreed to improve their security systems and internal practices. Just simple steps such as ensuring that all members of staff wear ID at all times can make a big difference.

For more advice on how to keep your data safe, follow Hayes Connor on Twitter or give us a like on Facebook. Alternatively, if you have been the victim of a data breach or cyber fraud, find out how we can help you to recover any losses or give us a call on 0151 363 5895 to discuss your case in more depth.

[1] Accenture

data breach
, , ,

Should you hold British Airways responsible for its data breach?

At Hayes Connor Solicitors, we’re helping victims of the British Airways data breach to claim compensation after their personal information was put at risk by the airline.

However, in our work we often hear people talking about how companies like British Airways (BA) should not have to pay for the acts of unscrupulous hackers. And it’s true that cybercriminals are becoming increasingly sophisticated. But this doesn’t let negligent organisations off the hook.

The truth is that in most cases, data breaches happen because of a failure to implement reasonable and robust processes. We believe that this was the case at BA.

As such, claiming compensation isn’t just in your best interests. The only way big organisations will be persuaded to take their data privacy responsibilities seriously and make improvements is by hurting their bottom line.

Brand loyalty is all well and good, but it’s vital that we don’t put the needs of big companies above the rights of their customers.

Crucially, if BA had done everything in its power to protect its customers’ data, and had robust security processes in place, it is unlikely that a claim for compensation would be successful. This is why we usually wait for the results of an investigation by the Information Commissioner’s Office (ICO) before starting a group action.

So, was BA responsible for the data breach? Let’s look at the facts.

  1. British Airways didn’t spot the data breach for two weeks

In September last year, it was revealed that almost 400,000 BA customers had their bank card details stolen in one of the most severe cyber-attacks in UK history.

Worryingly, the hack went undetected for two weeks before BA told its customers about the breach and reported the incident to the police. BA has admitted that the hackers spent more than a fortnight accessing data online and we believe that this is a significant failure by BA – one that increases the risk to passengers substantially.

With 12 days between the BA data breach occurring and the incident being detected, questions have been asked as to whether poor systems made this cyber-attack worse.

  1. British Airways uncovered a second data breach when investigating the first

To make matters worse, when investigating this case, a second data breach was also spotted at the airline.

In this instance, 77,000 people had their names, addresses, email addresses and detailed payment information taken. This included card numbers, expiry dates, and card verification value (CVV) numbers. And, a further 108,000 people had their personal details stolen. This hack could have left customers exposed for months.

  1. Hackers could already have made millions from the British Airways data hack

Russian hackers may have made millions selling credit card details stolen from BA customers. Research has found that stolen data was put up for sale on the dark web about a week after the BA breach. Hackers were charging between £7 and £40 (approximately) for each card’s worth of information.

BA says it has not received reports of fraud resulting from the attack on its own systems.

  1. The British Airways hack might have been caused by the same hackers as Ticketmaster

According to reports, a cyber-criminal operation known as Magecart is behind the recent BA data breach. The group has been very active over the past three years. It is also thought to be behind the Ticketmaster data hack.

A report by RiskIQ states that clues link the same operation to the BA breach. The company said the code found on the BA site was very similar. However, the code was modified to suit the way the airline’s website had been designed. Crucially, if RiskIQ, is right about how the attack worked, a cybersecurity researcher has told the BBC that “BA should have been able to see this”. So the hack could have been very easily prevented.

Worryingly, in the Ticketmaster data breach case:

  • 63% of all the clients we took on suffered multiple fraudulent transactions on their payment cards, and
  • 31% of all our clients involved in this case suffered from distress and/or psychological trauma as a result of having their card details stolen and used in fraudulent activity.

What’s more, it is becoming increasingly clear that the impact and losses people sustain following a data breach are not always immediately apparent. Indeed, in the Ticketmaster data breach, we are starting to see cases where the impact occurred months later. This is often because data stolen is used in batches over time.

So, as yet it’s impossible to say how many people have been impacted by the BA data breach, and to what extent.

  1. British Airways has been accused of not taking its responsibilities seriously following the data breach

Following the BA data breach, the airline said that compensation claims would be discussed on an ‘individual basis’. However, it is not up to the airline to dictate the terms of any compensation payments.

In response, customers took to the media to share their fury at the airline’s handling of the privacy violation.

According to an article in The Metro, one BA customer said “They talk about compensation to be discussed on a case-by-case basis. To me, this seems incredibly unprofessional.”

He added: “They are trying to not take full responsibility for it”.

The same customer is reported to have suffered fraudulent activity on his credit card, which he used to book a BA flight during the time the data was at risk.

Some customers have complained that they have not been contacted by BA about the data breach, despite having seen fraudulent activity on their payment cards. Others have complained about BA advising customers to go to their bank for advice, rather than issuing its own instructions to help travellers stay protected.

One BA customer told the BBC: “I have six cards linked to my BA account. I have no idea how much of my data information has been stolen. I will have to go to each of my credit card providers, cancel the cards, and all the direct debits, etc., related to those cards. This will take a long time, something I have to do with no help from BA”.

Make a British Airways compensation claim with Hayes Connor Solicitors

At Hayes Connor, we want to reduce the number of data violations taking place across the UK.

To do this, we are helping to raise awareness of data breaches and cybercrime, and educating people and businesses to prevent similar infringements from happening. For more advice on how to keep your data safe, follow us on Twitter and Facebook.

But, where a breach has already occurred, it’s vital that you can recover your losses. We could be talking about one of the most severe data breach cases to hit the UK, so it’s critical that people can get the help they need.

To join our British Airways data breach group action compensation claim, you will need to register with us. We’ll let you know what is happening in this case and if and when you can make a BA data breach compensation claim.


data breaches
, ,

Sandwell Council suffers 500 data breaches in just five years

Following an investigation by The Express & Star, it has been revealed that almost 500 data breaches have occurred at Sandwell Council in the past five years.

According to the report, sensitive information has been either stolen, lost or incorrectly disclosed. And in some cases, people’s names and addresses were unintentionally shared.

Sandwell has classed all 499 data breaches as ‘low level’ incidents. However, with one data breach occurring every four days on average, this is sure to be worrying for people living in the area.

Sandwell Council is said to be reviewing its ‘information governance arrangements’, However, speaking about the findings, which were made available following a Freedom of Information request by the newspaper, a spokesperson, said: “The majority of these minor data breaches have occurred in cases where data is being transferred internally between council departments, rather than to outside organisations.

“These low-level data breaches will occasionally have included the unintentional sharing of, for example, a name or address.

“None of the breaches met the threshold requiring referral to the Information Commissioner.

“The council takes action in respect of every breach, however minor, and can in many cases recover the data immediately.

“It must be remembered that the council handles thousands of pieces of data every single day.”

Not good enough

These violations correspond with our experiences of data breaches at local authorities across the country. Where in most cases, its human error rather than cybercrime that is the biggest cause of data privacy violations.

However, we would argue that handling thousands of pieces of data every day is not a good enough excuse when it comes to data protection failures.

For example, some of the breaches involved staff accidentally sending emails or paperwork to the wrong people. And, while Sandwell Council might consider this to be a low-level data breach, the devastation such negligence can cause can’t be underestimated.

For example, in a recent case, our solicitors saw first-hand what can happen when a local authority sent a copy of a court order containing sensitive personal information about a father (our client) and his daughter to the wrong postal address.

This mistake saw the letter being sent to and read by a neighbour, before being divulged to other family members and neighbours. This caused considerable distress, upset and embarrassment to our client and his family. As such, the consequences of this “small” error were far-reaching.

What can you do to stop this from happening to you?

If you are concerned that your data might be at risk, either by Sandwell Council, or another local authority, you can ask for a copy of the data the council holds about you. This is called making a subject access request (SAR). Find out more about making a SAR.

This won’t guarantee that an error doesn’t result in information being sent to the wrong person, but it is a reasonable safety precaution to take. You can also ask the council for a copy of their acceptable use policy and data protection policy.

Not just hackers

Data breaches are not just caused by cybercriminals. For more advice on how to keep your data safe, follow our #notjusthackers campaign on Twitter and Facebook.

Alternatively, if you have been the victim of a data breach or cyber fraud, find out how we can help you recover any losses or give us a call on 0151 363 5895 to discuss your case in more depth.


, ,

Are you sharing too much on social media?

The Facebook/Cambridge Analytica scandal highlighted what can happen when we share our data online. In this case, a researcher garnered details on the likes and habits of Facebook users (without their consent) via a personality quiz app called ‘This is Your Digital Life’. Cambridge Analytica then used this data to target users with political messaging.

But, despite the media attention this case received – and the possible impact on our democracy- it seems that plenty of us are still willing to hand over our information without thinking about the consequences.

The problem with memes

The latest trend across Facebook, Instagram and Twitter is to share a then-and-now picture. But how many people who took part in this “innocent” meme have considered how facial recognition software could be used to exploit this data?

Writing in Wired, Kate O’Neil argues that: “Like most emerging technology, there’s a chance of fraught consequences. Age progression could someday factor into insurance assessment and health care. For example, if you seem to be aging faster than your cohorts, perhaps you’re not a very good insurance risk. You may pay more or be denied coverage.”

She also refutes claims that there is nothing to worry about because “if you have been on social media for a long time the various platforms have this information anyway”. Instead, she argues that a simple, helpfully labelled set of then-and-now photos would be of much more value to these companies than having to trawl through hundreds (if not thousands) of unrelated images.

And it’s not just this current meme that is causing concern. How often do we share when we are away on holiday, when our birthday is, our mother’s maiden name, the name of our first pet, and even where we live? All data that can be used against us if it falls into the wrong hands.

Just a simple “what is your pirate/superhero/band name” post can reveal the answer to some of the most common security questions used by our banks.

Our responsibility to ourselves

It is absolutely right that we are demanding that organisations look after our data with respect, but it is also crucial that we apply the same standards to our own behaviour if we want to stay safe.

For example, when using technology, we must be conscious of the data we are sharing, and how it can be used. On social media this includes things like:

  • Not accepting friend requests from people you don’t know
  • Being careful about what you share online
  • Removing location data from your posts
  • Using a different password for all your accounts
  • Using two-factor authentication
  • Checking the privacy settings of all your accounts
  • Not downloading suspicious apps
  • Thinking twice before clicking on any links
  • Reading the T&Cs of any games or apps you want to use
  • Being aware of common phishing techniques and keeping an eye out for fraudsters who attempt to gather additional personal information.

Today, social media is part of everyday life. So we would never suggest that you stop using it if you don’t want to. But some simple steps can help you to stay safe.

At Hayes Connor, we believe that raising awareness of cybersecurity issues will help to protect ourselves as individuals. For more advice on how to keep your data safe, follow us on Twitter and Facebook.

Alternatively, if you have been the victim of a data breach or cyber fraud, find out how we can help you to recover any losses or give us a call on 0330 995 0070 to discuss your case in more depth.

, , ,

The importance of looking after sensitive candidate information during the recruitment process

When applying for a job, we trust recruiters and the places we hope to work with a vast amount of sensitive information. But all too often this isn’t looked after as well as it should be.

In a recent case, our solicitors saw the impact of what can happen when sensitive information supplied as part of a job application was processed incorrectly.

What happened in this case?

In this data breach, the individual managing the recruitment process wrongly addressed sensitive applicant information and failed to send it by recorded delivery or hand delivery, as was the company’s standard purported practice.

The documentation included the following material:

  • A copy of the applicant’s passport
  • A copy of her driving licence
  • A copy of her birth certificate
  • Two letters to prove her address/identity
  • Copies of her NVQ certificates.

The information has still not been recovered and therefore remains a potential threat to our client.

As a direct result of this data breach, our client has suffered severe psychological effects, including stress, anxiety and trauma. So much so that her GP has prescribed medication.

Lessons learned

In many cases, data breaches such as this can be avoided by employees abiding by the data protection principles of their organisations. But it is up to these organisations to make sure that all staff receive regular data protection training to make sure they understand the potential consequences of breaching data protection laws.

Not just hackers

At Hayes Connor, we want to reduce the number of data violations taking place across the UK. To do this, we are sharing such real-life examples of data breaches to raise awareness of this issue and educate people to prevent similar mistakes from happening.

For more advice on how to keep your data safe, follow our #notjusthackers campaign on Twitter and Facebook.

Alternatively, if you have been the victim of a data breach or cyber fraud, find out how we can help you to recover any losses or give us a call on 0151 363 5895 to discuss your case in more depth.


hayes connor

Psychology and data breaches. The emotional impact of privacy violations

The sheer scale of the information we share with organisations is enough to leave us all open to the threat of financial and identity fraud. But, when talking about the real-life impact of data breaches, we often don’t consider the impact on an individual’s mental state.

At Hayes Connor Solicitors, we help our clients to make compensation claims after their data has been put at risk by the organisations they trust to look after it. In some cases, these breaches result in serious financial fraud. But, every day, we also help people come to terms with privacy violations that have a severe and often lasting impact on their mental health.

To shed some light on this issue, we interviewed renowned clinical psychologist Professor Hugh C. H. Koch – visiting professor in law and psychology at Birmingham City University School of Law – to find out more about the typical psychological effects experienced by victims of data breaches.

Is there a lack of trust in the organisations that hold our personal information to keep that data safe?

The small number of cases which are publicised and involve the abuse of personal information indicate that personal information can be inappropriately used and this raises individuals’ concerns about security.

Why has that trust broken down?

Significant publicity is given within the media when an organisation or one of its members has abused personal information, resulting in some form of data breach. As a result, individuals are less likely to trust organisations in general when providing personal information. This then can adversely affect effective communication, dealing with correspondence and, especially, telephone or email communications.

Are people becoming more stressed about the need to keep their personal information and passwords secure?

People are certainly becoming more aware of the potential risks in giving out personal information to organisations which may or may not be stored and used for purposes of which the individual is unaware. The storage and changing of passwords also raises concerns about security. This increased awareness can, in some cases, result in individuals becoming stressed and worried about adverse consequences.

What are the typical psychological effects experienced by victims of data breaches?

Data breach victims typically experience high levels of anxiety, specific to the data breach but also generalised to other aspects of dealing with correspondence, telephone and digital communication and payment for services. Victims experience social anxiety, with difficulties dealing with friends and neighbours, tradesmen, shopping transactions and can develop oversensitivity or paranoia in their communications with others. They can also develop varying aspects of mood disturbances or depression especially including poor sleep and tearfulness.

How are the principles and methods for investigating psychological injuries following a data privacy violation evolving?

As a result of increased volumes of data breach incidents, lawyers and experts are using their respective skills to assess the psychological and social consequences, symptoms and ‘injuries’ in reliable and valid ways. Structured interviewing, psychometric assessment and perusal of medical and occupational records are all part of this process.

Do organisations (those that hold our data) understand the full impact, psychological stress, and trauma that can be experienced by individuals following a data breach?

Learning how individuals are adversely affected by data breach events is a gradual process. Once an organisation has ‘got it wrong’, it should learn in a reflective way, why and how this occurred and what deleterious effect a data breach has had on any one individual. As a result, it should improve security practices to prevent further occurrences.

What about the ICO? Does it still need educating on the emotional impact of data breaches?

The role of the Information Commissioner’s Office (ICO) is to uphold information rights in the interest of the public and manage the complaints process. To do this effectively it needs to understand the various psychosocial effects that data breaches can have on individuals.

Do changes to the law that reflect the impact of emotional distress go far enough?

It is important that mild or minor examples of emotional distress get recognised as well as the more severe and disruptive effects. However, it is essential that these are assessed and described in a reliable way.

How are psychologists and lawyers collaborating in this area?

Collaboration between lawyers and psychologists will result in clear and reliable assessment of the psychological effects of data breaches on individuals and families. In some cases, once an assessment takes place, some form of treatment may be appropriate to rectify any residual or ongoing problems. Collaboration will encourage rapid, accessible and effective assessment and treatment where appropriate.

What is working, and where do we need to improve?

In order to maximise the usability of a psychological assessment, it is essential to have a clear and concise description typically for a focused witness statement, as to the effects of the specific data breach. I repeat, ‘concise and focused’, rather than lengthy and unclear.

What can the legal profession do to shed more light on the emotional impact of data breaches and cybercrime?

Education within the legal media, both written and digital, concerning the psychological effect of data breaches reinforced at legal educational meetings and conferences will raise the bar of how much lawyers know and understand about data breach effects.

Are digital innovations making the data breach claims process less stressful for victims?

Digital innovation (D.I) is a development which has both positive and negative effects on the practice of law and wellbeing. If D.I helps to increase the recognition of data breach effects and their resolution, then this will reduce the overall stress on victims who are bringing claims.

Anything else you want to add?

This is an exciting and very worthwhile relatively new medico-legal intervention. At this time, it is likely that more such cases will be investigated. Further analysis of the effects on compensation and rehabilitation will be necessary.



  1. Koch HCH, Midgley S, Riggs E, and Adeleye N (2018). Psychological Injury, Cyber Crime and Data Breach Damages. Expert Witness Journal, Manchester, December.
  2. Koch HCH (2018). “From Therapist’s Chair to Courtroom – The Psychology of Tort Law”. LCB Publishing.
data breach
, , ,

Hospital gives sensitive pregnancy discharge pack to wrong woman

Before they leave hospital, new mothers are given a set of postnatal notes, with information about their labour, delivery and postnatal care in hospital.

In a recent case, we saw the impact of what can happen when this personal pregnancy discharge pack was given to the wrong person by mistake.

What happened in this case?

Following the birth of her son, a woman was contacted on Facebook by a woman who knew her name, address and other personal information. Due to the personal information disclosed via the message she thought she was being contacted by her estranged mother and sister. This caused her considerable upset.

However, it eventually became clear that she was being contacted by a stranger who had been given her pregnancy discharge pack and the personal details of her son by mistake. This happened despite the fact that the other woman had attended a completely different hospital in a different town from her.

As a result of this data breach, the woman suffered stress, anxiety and trauma, which resulted in her needing medication from her GP.  She has also suffered from ongoing flashbacks of family problems.

Lessons learned

The healthcare sector handles some of our most sensitive personal data, and, as patients, we have the right to expect this will be looked after. However, all too often this isn’t the case.

Hospitals and other healthcare organisations need to do more to protect sensitive patient data. It is vital that there are adequate and robust protections in place to secure patient information and that healthcare staff have the knowledge and ability to handle such data securely.

Not just hackers

At Hayes Connor, we want to reduce the number of data violations taking place across the UK. To do this, we are sharing such real-life examples of data breaches to raise awareness of this issue and educate people to prevent similar mistakes from happening.

For more advice on how to keep your data safe, follow our #notjusthackers campaign on Twitter and Facebook.

Alternatively, if you have been the victim of a data breach or cyber fraud, find out how we can help you to recover any losses or give us a call on 0151 363 5895 to discuss your case in more depth.