The recent case of a former healthcare professional being cautioned by the Information Commissioner's Office (ICO) over the deliberate misuse of Princess of Wales's private medical records highlights the gravity of data breaches in the NHS. The individual, who previously worked at a London-based private hospital, made an offer to disclose sensitive information for financial gain, prompting a thorough investigation by the ICO.
The breach came to light when The London Clinic reported it in March 2024, following a planned abdominal surgery the Princess of Wales underwent in January. Tragically, she was later diagnosed with cancer during post-operative tests, which she received at the facility. Notably, The London Clinic has also treated King Charles in recent years.
The ICO confirmed that the caution was issued under section 170(5) of the Data Protection Act 2018, following a comprehensive assessment under the code for crown prosecutors and the ICO's prosecution policy. Describing the conduct as "the deliberate misuse of highly sensitive personal information" and an offer to disclose it for financial gain, the watchdog stated that this represented a clear breach of trust.
Despite the severity of the individual's actions, the ICO deemed that a formal caution was the most appropriate enforcement response. The watchdog also investigated whether there were any organisational issues at The London Clinic, but concluded that no failings met the threshold for regulatory action against the hospital itself.