GP practices are being reminded to put robust measures in place for handling personal data after a surgery was issued with a formal warning by the data protection watchdog over the way it managed an insurance request for a patient’s details.
The Information Commissioner’s Office (ICO) issued a reprimand at the end of 2025 to Staines Health Group for a breach of data protection rules, after finding it had sent excessive medical information about a patient diagnosed with a terminal illness and who made a claim to their insurance company.
As part of the claim made in 2024, the insurer, on behalf of the patient, had requested that five years of medical history be sent to the patient to review, before being sent to the insurer in order to progress the claim.
But, instead of five years of medical history being sent to the patient, a member of staff from Staines Health Group sent 23 years of medical records direct to the insurer, prompting the patient to report their concerns that their records had been shared.
The patient believed the excessive disclosure of unnecessary medical records led to a reduction in the pay out of their claim, the ICO said. It prompted the patient to raise concerns with the practice that their records had been shared.
And although the practice formally reported the personal data breach to the ICO – it was only after a delay of more than 72 hours, which also goes against GDPR regulations and was a factor contributing to the warning being issued.
After an investigation, the watchdog said that a lack of written process for staff to follow when handling insurance requests and a lack of regular refresher data protection for staff had led to the breach. For example, the member of staff responsible for the incident received training around processing
insurance requests in 2022 but received no further training or refresher training after that.
It also concluded that the ‘data that was shared… was not adequate, relevant and
limited to what is necessary in relation to the purposes for which it was processed’.
Meanwhile, the delay in reporting the breach had been an infringement of regulations too, the ICO said, caused by the practice not being able to access password-protected information needed in the absence of a member of staff who was on leave – and no continency arrangements being in place.
The ICO said the practice has since taken steps to improved processes including:
- Completing a significant event report which aimed to establish the root cause of the disclosure email and what lessons could be learned from the incident.
- Drafting a written document staff can follow when handling insurance requests
- Updating its procedure for handling insurance provider requests to include additional training and a sign off sheet
- Giving the member of staff responsible a warning and placing them under supervision for six months.
David Doodson, ICO interim head of investigations, said that they ‘recommend other organisations take note of the lessons learned from the mistakes of Staines Health Group in this case.’
He added: ‘All personal information must be handled with care but health records – sensitive personal data – require particularly robust measures. This is because the loss of this kind of data can have distressing consequences for those involved. ‘
What are the lessons learned for other practices?
- The need for written processes to be in place to support staff when handling personal data
- Consider the need for a quality assurance process when sharing personal data externally
- Provide up-to-date and regular data protection training for staff.
Source: ICO
