Skip to main content
Home

GP surgery reprimanded after excessive medical history of terminally ill patient sent to insurer

  • Date 3 February 2026
  • Type News

We have reprimanded Staines Health Group for sending excessive medical details about a terminally ill patient to their insurance company. 

A patient at the NHS GP surgery was diagnosed with a terminal illness and made a claim to their insurer. The insurer, on behalf of the patient, subsequently requested that five years of medical history be sent to the patient to review, before being sent to the insurer in order to progress the claim. 

But, instead of five years of medical history being sent to the patient, Staines Health Group sent 23 years of medical records direct to the insurer. The patient believed the excessive disclosure of unnecessary medical records led to a reduction in the payout of their claim. 

Failures of Staines Health Group that led to the incident included a lack of written process for staff to follow when handling insurance requests and a lack of regular refresher data protection training for staff.  

David Doodson, ICO Interim Head of Investigations, said:

“All personal information must be handled with care but health records – sensitive personal data – require particularly robust measures. This is because the loss of this kind of data can have distressing consequences for those involved.  
 
“We recommend other organisations take note of the lessons learned from the mistakes of Staines Health Group in this case.”

Staines Health Group took various steps after the incident including: 

  • Completing a significant event report which aimed to establish the root cause of the disclosure email and what lessons could be learned from the incident.
  • Drafting a written document staff can follow when handling insurance requests
  • Updating its procedure for handling insurance provider requests to include additional training and a sign off sheet
  • Giving the member of staff responsible a warning and placing them under supervision for six months. 

We have issued Staines Health Group with a reprimand setting out the mistakes made in the handling of the request. 

Lessons learned for other organisations include:

  • The need for written processes to be in place to support staff when handling personal data.
  • Consider the need for a quality assurance process when sharing personal data externally.
  • Provide up-to-date and regular data protection training for staff.
Notes to editors
  1. The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
  2. The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the United Kingdom General Data Protection Regulation (UK GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five acts and regulations.
  3. The ICO can take action to address and change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
  4. To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.