Everyone knows that the acronym NHS stands for National Health Service but over the last week or so, some patients may believe it stands for Not Held Securely at least as far as their data is concerned.
In June 2024, a cyber-criminal group going by the name of Qilin managed to bypass the NHS’ cyber-security measures and extracted a significant amount of data. The stolen data included patient names, addresses, medical histories, and other sensitive information, including, it is believed, blood test results. The said data is reported to have been locked down by Qilin, meaning that it cannot be accessed. Qilin further released, on 20 June 2024, 400GB of the said data on the dark web.
This breach not only violated individual privacy but also posed significant risks to the affected individuals, including identity theft, blackmail, and other forms of exploitation. The most significant effect has been the impact on emergency operations. By way of example, BBC News reported the postponement of an operation in respect of a child awaiting an emergency operation to remove a cancerous tumour that had been discovered. Delays such as this are not only frustrating but they could also be potentially life-threatening, which, even if the outcome is positive, could well have long-term psychological implications for the patient.
The legal framework
The UK’s data protection laws are primarily governed by the Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulation (GDPR). These regulations impose stringent requirements on the handling, processing, and protection of personal data. Key principles include a requirement that data must be processed in a manner that ensures it is secure and that it retains its integrity.
The UK GDPR categorises the following as sensitive personal data:
“…genetic, biometric and health data, as well as personal data revealing racial and ethnic origin, political opinions, religious or ideological convictions or trade union membership”.
Given that the data taken includes sensitive personal data, the Information Commissioner’s Office (ICO) would expect extra safeguards in place to ensure the integrity and security of the data.
Legal implications
Regulatory fines and sanctions
In the wake of the breach, the ICO, the UK’s data protection authority, will likely conduct a thorough investigation. If the NHS is found to have failed in its duty to protect personal data adequately, it could face substantial fines. Under GDPR, fines can reach up to €20 million or 4% of the annual global turnover, whichever is higher. For an organisation the size of the NHS, this could translate into a significant financial penalty. Given however that this is a public organisation already strapped for cash, it will be that the ICO seeks to work with the NHS to ensure that their systems are improved to prevent a similar occurrence.
Civil liability
Affected individuals may seek compensation for damages resulting from the breach. The GDPR grants data subjects the right to claim compensation for both material and non-material damage caused by data breaches. While this is what the legislation says, it is important that specific damage arising from the breach is pleaded fully and properly. A general sense of uneasiness in terms of having your data stolen is both understandable and normal but is unlikely to result in a significant award of compensation. In this case, however, given that very serious/life-threatening operations are being delayed, if this significantly affects the prognosis for a patient, this may well result in significant awards of compensation.
In this regard, whilst the limitation period for data breaches is usually 6 years, the limitation period for personal injury claims is only 3 years and accordingly, once the prognosis is clear, it is essential that legal advice is taken as soon as possible if the victim is intending to seek compensation.
Conclusion
The NHS data breach in June 2024 serves as a stark reminder of the critical importance of data protection in the digital age. The legal implications are significant, encompassing regulatory fines, civil liability, and potential criminal charges. Moving forward, healthcare organisations must prioritise cybersecurity, regulatory compliance, and public education to safeguard personal data and maintain public trust. By learning from this incident, the NHS and other institutions can better protect the sensitive information entrusted to them, ensuring a safer and more secure future for all.
How can we help?
Kevin Modiri is a Partner in our expert Dispute Resolution team, specialising in civil disputes, insolvency, inheritance disputes, data breach claims and defamation claims.
If you have any questions concerning the subjects discussed in this article, please do not hesitate to contact Kevin or another member of the team in Derby, Leicester, or Nottingham on 0800 024 1976 or via our online enquiry form.
Contact us