Information risk and impacts to individuals following personal data breaches guidance for patients and service users

A personal data breach is when the personal information that an organisation holds about you is accidently or unlawfully:

• lost
• destroyed
• accessed
• altered
• becomes unavailable
• disclosed to someone who should not have it

Personal information may include confidential patient information which you have provided to health and care organisations such as your:

• name
• date of birth
• contact information
• health and care information, for example the notes taken by health and care professionals during a consultation, correspondence and images

In many cases data breaches do not lead to a significant risk to the people whose information is breached, because action is quickly taken to limit the impact. However, in some cases, if your information has been involved in a breach, depending on the type of personal data breach and the information involved, there could be a risk of a negative impact on you. This could include:

• being targeted by scams, phishing attacks or other crime
• being the victim of identity fraud
• being discriminated against
• facing reputational damage
• your care being impacted, for example, if tests results become unavailable

Health and care organisations will take steps to limit the risk to people whose information is breached. They will investigate the details of the breach to decide how likely it is that any of the risks above may happen. Where they believe there is a high risk to you, they will let you know. Health and care organisations will inform you in different ways depending on the situation for example this could be a letter or if there are many people impacted, there may be a notice on the website of the organisation caring for you.

If you are told that your information has been involved in a data breach, there are some actions you can take to protect yourself. This includes:

• be vigilant to scam contact (by letter, phone, email) - the National Cyber Security Centre phishing scams guidance describes how to spot scam emails, texts, websites and calls
• report scam mail received by post to Royal Mail
• report scam calls, emails and texts to Action Fraud and/or the Information Commissioner’s Office
• report stolen or copied details to the relevant organisation such as your bank, passport office or online account administrator so that they can review security or issue you with new credentials where needed
• check for unusual or suspicious activity on any accounts, such as online accounts or bank accounts, where your log-in or access information has been involved in a breach - for example, check for transactions or communications that you do not recognise and report these to the organisation which manages the account
• change passwords for your online accounts
• if you suspect a risk to your safety, contact the police

The organisation who are managing the breach of information may suggest further action you can take.

The National Cyber Security Centre has produced data breach guidance for individuals and families in the event of a potential personal data breach including advice on how to protect yourself, what to be alert to and how to protect yourself.