Changeflow GovPing Data Protection ICO Reprimands GP Surgery for Excessive Medical...
Priority review Enforcement Amended Final

ICO Reprimands GP Surgery for Excessive Medical Data Disclosure

Favicon for ico.org.uk ICO News & Blogs
Filed February 3rd, 2026
Detected February 11th, 2026
Email

Summary

The UK's Information Commissioner's Office (ICO) has reprimanded Staines Health Group for sending 23 years of a terminally ill patient's medical records directly to an insurer, instead of the requested five years to the patient. The ICO cited a lack of written processes and inadequate training as contributing factors.

View original document View source feed page

What changed

The Information Commissioner's Office (ICO) has issued a reprimand to Staines Health Group, an NHS GP surgery, for a significant data breach involving the excessive disclosure of a terminally ill patient's medical history to an insurance company. The surgery mistakenly sent 23 years of records directly to the insurer, rather than the five years requested for the patient's review. This incident, which the patient believes impacted their insurance payout, was attributed to a lack of clear written procedures for handling such requests and insufficient data protection training for staff.

This case serves as a critical reminder for healthcare providers and other organisations handling sensitive personal data. The ICO recommends implementing robust written processes for managing insurance requests, considering quality assurance measures for external data sharing, and ensuring regular, up-to-date data protection training for all staff. While Staines Health Group has taken remedial actions, including drafting new procedures and providing additional training, the ICO's reprimand highlights the serious consequences of mishandling sensitive health information and the need for stringent data protection practices to avoid distressing outcomes for individuals.

What to do next

  1. Review and implement written processes for handling third-party data requests, especially for sensitive personal information.
  2. Ensure all staff receive regular and up-to-date data protection training.
  3. Establish quality assurance checks for all external data sharing.

Penalties

Reprimand issued

Source document (simplified)

GP surgery reprimanded after excessive medical history of terminally ill patient sent to insurer

  • Date 3 February 2026
  • Type News

We have reprimanded Staines Health Group for sending excessive medical details about a terminally ill patient to their insurance company.

A patient at the NHS GP surgery was diagnosed with a terminal illness and made a claim to their insurer. The insurer, on behalf of the patient, subsequently requested that five years of medical history be sent to the patient to review, before being sent to the insurer in order to progress the claim.

But, instead of five years of medical history being sent to the patient, Staines Health Group sent 23 years of medical records direct to the insurer. The patient believed the excessive disclosure of unnecessary medical records led to a reduction in the payout of their claim.

Failures of Staines Health Group that led to the incident included a lack of written process for staff to follow when handling insurance requests and a lack of regular refresher data protection training for staff.

David Doodson, ICO Interim Head of Investigations, said:

“All personal information must be handled with care but health records – sensitive personal data – require particularly robust measures. This is because the loss of this kind of data can have distressing consequences for those involved.

“We recommend other organisations take note of the lessons learned from the mistakes of Staines Health Group in this case.”
Staines Health Group took various steps after the incident including:

  • Completing a significant event report which aimed to establish the root cause of the disclosure email and what lessons could be learned from the incident.
  • Drafting a written document staff can follow when handling insurance requests
  • Updating its procedure for handling insurance provider requests to include additional training and a sign off sheet
  • Giving the member of staff responsible a warning and placing them under supervision for six months. We have issued Staines Health Group with a reprimand setting out the mistakes made in the handling of the request.

Lessons learned for other organisations include:

  • The need for written processes to be in place to support staff when handling personal data.
  • Consider the need for a quality assurance process when sharing personal data externally.
  • Provide up-to-date and regular data protection training for staff. Click to toggle details

Notes to editors

  1. The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
  2. The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the United Kingdom General Data Protection Regulation (UK GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five acts and regulations.
  3. The ICO can take action to address and change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
  4. To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.

Related changes

Favicon for ico.org.uk ICO Open Letter to Tech Firms on Age Checks and Child Data Protection
Priority review Mar 12, 2026 ICO News & Blogs Data Protection
Favicon for ico.org.uk ICO Fines Police Scotland £66,000 for Data Mishandling
Priority review Mar 11, 2026 ICO News & Blogs Data Protection
Favicon for ico.org.uk ICO Upholds FOI Complaint Against NHS Trust
Priority review Mar 10, 2026 ICO Decision Notices Data Protection
Favicon for www.pcpd.org.hk Hong Kong PCPD Arrests Two for Suspected Doxxing
Urgent Mar 13, 2026 PCPD Media Statements (HK) Data Protection
Favicon for www.pcpd.org.hk Global Privacy Authorities Joint Statement on AI-Generated Imagery
Priority review Mar 13, 2026 PCPD Media Statements (HK) Data Protection
Favicon for www.pcpd.org.hk Privacy Commissioner Reports 2025 Work and Data Security Incidents
Priority review Mar 13, 2026 PCPD Media Statements (HK) Data Protection

Source

Favicon for ico.org.uk
ICO News & Blogs ico.org.uk/about-the-ico/media-centre/news-and-blogs
Data Protection
Analysis generated by AI. Source diff and links are from the original.

Classification

Agency
Information Commissioner's Office
Filed
February 3rd, 2026
Instrument
Enforcement
Legal weight
Binding
Stage
Final
Change scope
Substantive

Who this affects

Applies to
Healthcare providers Employers
Geographic scope
National (UK)

Taxonomy

Primary area
Data Privacy
Operational domain
Compliance
Topics
Healthcare GDPR Patient Privacy

Browse Categories

Federal Courts 26 State Courts 91 Securities Regulation 6 Financial Regulation 43 Consumer Protection 5 Drug Safety 45 Data Protection 21 Competition 2 Attorneys General 3 Insurance Regulation 5 Trade & Export 36 Legislation 42 Energy Regulation 13 Environment 3 Labor & Employment 2 Tax 1

Get Data Protection alerts

Weekly digest. AI-summarized, no noise.

Free. Unsubscribe anytime.

Get alerts for this source

We'll email you when ICO News & Blogs publishes new changes.

Free. Unsubscribe anytime.