Wigan hospitals pay out more compensation for data breaches than any other

An investigation by Legal Expert has revealed a stark increase both in terms of human error and cyber-attacks throughout the NHS, with the service stumping up £1.5m in data breach claims.

Wrightington, Wigan and Leigh NHS Trust (WWL) came far and above any other in the UK, with a hefty compensation pay-out total of £79,650 in the last three years.

Between the financial years, 2020/21 and 2022/23, the trust had 61 claims lodged against it.

During this time, it settled 47 claims, paying out a total of nearly £80K.

The second highest amount was paid out by Norfolk and Norwich University Hospitals NHS Foundation Trust.

It forked out a total of £46,875 since 2020 but this was for a total of five data breach claims.

The trust came under fire in 2019 after sending personal details of patients to wrong addresses.

Data Breach specialist at LE, Eleanor Coleman says: “This rise in the Health Sector is worrying and we hope that organisations are ensuring that they have sufficient security in place to protect people’s personal information.”

The NHS is expected to collect, store, use, share and dispose of personal information or data about individuals, in line with the General Data Protection Regulation (GDPR) and the Data Protection Act (DPA).

Under data protection law, organisations must have appropriate technical and organisational systems in place to ensure personal data is kept safe and not inappropriately disclosed to others.

According to the ICO (Information Commissioner’s Office), data breaches within the health sector have risen by 21% between 2022 and 2023.

The most common of which are recorded as ‘unauthorised access’ - this is when an unauthorised individual has gained access to personal data and can include prohibited disclosures.

It describes instances where an individual has unlawfully accessed or disclosed information and where a third party has forcibly accessed a system.

Given the extremely sensitive nature of information health by the NHS, data breaches within its systems can have concerning impacts.

Most recently, South Tees Hospital NHS Foundation Trust was reprimanded for a “serious, harmful data breach” by the ICO which resulted in a disclosure containing sensitive information to an unauthorised family member.

Legal Expert conducted an investigation following an influx of enquiries about data breaches in the healthcare sector, particularly within the NHS.

In 2022, a total of 1,607 data breaches were reported to ICO from the health sector, this soared to 1,949 incidents the following year.

So far this year, between January 1 – March 20, 2024, a total of 505 data breaches have been reported by the health sector to ICO. That’s an average of 168 incidents a month. If the trajectory continues, figures could reach record highs this year of around 2,020.

Data obtained through a series of Freedom of Information requests to every NHS Trust in the UK revealed those that have had the most data breach claims lodged against them as well as the trusts forking out the most in compensation for such claims.

All trusts provided the requested information. A total of 897 Data Breach claims were lodged against NHS Trusts between the financial years 2020/21 and 2022/23.

In this time period, 418 claims were closed with a compensation payment. The total amount of damages paid by the NHS for these claims was £1,537,295.

Some 212 data breach claims were closed during this period with NIL damages paid out.

Legal Expert’s investigation reveals a total of 20 NHS Trusts paid out thousands in data breach compensation claims in the last three years, with Wigan coming top.

Prof Sanjay Arya, Medical Director and Caldicott Guardian at WWL, said: "Wrightington, Wigan and Leigh Teaching Hospitals NHS Foundation Trust (WWL) takes data protection and patient confidentiality very seriously.

“As data custodians for the personal information of our patients, WWL holds itself to a high standard to ensure that there is complete transparency regarding any data breaches, adhering to the Data Protection Act 2018 and the General Data Protection Regulations.

“A significant portion of the figures reported relate to a data breach in 2019, which involved multiple claimants because of the Trust’s ongoing drive for transparency to our patients. We take our duty of confidentiality to our patients extremely seriously, and our Information Governance team conducted a thorough investigation, with these breaches dealt with appropriately.

“WWL apologised to patients involved in the concerned data breaches. The incidents were also reported to the Information Commissioner’s Office.

“Since 2019, multiple new proactive processes and systems have been put in place to ensure that the security of patient data remains a priority and patients can be assured their data is protected.

“Additionally, our approach has been scrutinised by our auditors, national bodies and relevant stakeholders, all of whom are satisfied that our processes go beyond the required standards.”

Victims of a breach may be able to claim compensation providing a certain set of criteria is met.

Expert Eleanor Coleman said: “We have noticed an increase in data breaches generally over the last year, both in terms of human error and cyber-attacks.

“We understand that this is worrying and hope that organisations are ensuring that they have sufficient security in place to protect people’s personal information.

“In terms of compensation, this is dependent upon what has happened, the information which has been subject to the data breach and the distress it has caused. A lot of cases can be settled without the need to issue Court proceedings, but if this is necessary, then we would advise clients accordingly.”

Legal Expert has a team of experts on hand to offer free guidance and advice for anyone with concerns following a data breach.

It operates a 24-hour helpline and live chat service which can be accessed on its website.