The ICO exists to empower you through information.

An ICO spokesperson said:

“We can confirm that we have received a breach report and are assessing the information provided.”

Q&A from the Information Commissioner’s Office

Should I be worried about someone looking at my medical records?

Organisations have a responsibility to look after your personal information carefully. That means keeping it secure, and making sure it can only be seen by people who need to use it.

If organisations do not keep your personal information safe in line with the law, the Information Commissioner’s Office (ICO) can step in.

Who are the ICO?

The ICO is the UK’s independent regulator for data protection. It works to protect people’s privacy rights, taking action so that people can trust their information is being properly looked after.

Last year, the ICO dealt with almost 40,000 complaints about data protection, as well as taking more than 300,000 calls through its helpline.

What can the ICO do?

An organisation must report misuse of personal data to the ICO if there is a risk to people’s rights and freedoms, which is often the case with sensitive medical information. 

This must be reported within 72 hours of becoming aware of the breach. 

What happens next?

Accessing someone’s medical records without cause or consent can be a criminal offence. 

If the ICO investigates and finds evidence that medical records were accessed illegally, it can take action. 

This can include prosecuting and fining the person responsible in court.  

For example, last year the ICO prosecuted a medical secretary who accessed over 150 people’s records. She was fined by the courts.

The ICO can also take action against organisations, including fines, if an investigation finds they did not do enough to protect people’s personal information. For example, last year the ICO reprimanded an NHS Board after it allowed a member of the public to read patient’s medical records.