The UK’s data protection authority has confirmed it is investigating the reported breach of Kate Middleton’s medical records at The London Clinic.
In a statement, an Information Commissioner’s Office (ICO) spokesperson said: “We can confirm that we have received a breach report and are assessing the information provided.”
The announcement on March 20 follows numerous media reports that staff members at The London Clinic attempted to access the Princess of Wales’ private medical records during her stay at the hospital in January 2024 following abdominal surgery.
UK newspaper The Mirror has reported that up to three staff are being investigated by the prestigious clinic for allegedly accessing the Princess’ medical records.
In a statement, The London Clinic CEO, Al Russell, told NBC News that the hospital has systems in place to monitor management of patient information and insisted that, in the case of any breach, all appropriate investigatory, regulatory and disciplinary steps will be taken.
“Everyone at The London Clinic is acutely aware of our individual, professional, ethical and legal duties with regards to patient confidentiality,” he stated.
ICO Likely to Take Strong Enforcement Action
The ICO has the power to charge any individuals found to have unlawfully accessed, or attempted to access, the data with a criminal offence, and if found guilty, would face an unlimited fine.
The regulator could also issue heavy sanctions against The London Clinic if it was found to have failed to put sufficient safeguards in place to protect the Royal’s data.
Joe Jones, Director of Research and Insights for the International Association of Privacy Professionals (IAPP), noted that the ICO has a track record of rigorously enforcing cases where patient medical data has been exposed or unlawfully accessed, due to the highly sensitive nature of such information.
This includes a reprimand in January of a South Tees Hospitals NHS Foundation Trust for a data breach which resulted in a disclosure containing sensitive information to a unauthorized family member.
The ICO ordered the Trust to implement new standard operating procedures and provide staff training to ensure health data is protected and reduce possibility of unlawful disclosures.
Jones added that the scale of the damage that could be caused by this particular breach, involving a senior member of the Royal Family, will influence the ICO’s approach.
“The seriousness with which the ICO approaches this breach will be an important reminder that employees with access to other people’s personal data does not equate to those employees having the necessary permissions and legal right to access and share that data,” he outlined.
This would not be first occasion that a celebrity’s medical records have been unlawfully accessed while in hospital. It was reported that after Top Gear presenter Richard Hammond suffered a crash during filming in 2006, his medical records were accessed around 300 times in the 24 hours after the crash rather than the 20 or so which would be expected for a patient in intensive care.
Richmond-Coggan, Data and Privacy Litigation Partner at Freeths LLP, said a factor in determining any sanctions issued to individuals found guilty in a case like this could be intent.
“There is a world of difference between inadvertent unauthorized access to information, and someone deliberately setting out to intrude into a patient’s privacy, whether that is for idle curiosity or because they are hoping to use the information to sell to the media,” commented Richmond-Coggan.
Protecting Against Healthcare Insider Breaches
Javvad Malik, Lead Security Awareness Advocate at KnowBe4, said this case highlights the importance of cybersecurity hygiene and ethics in all aspects of healthcare.
“At its core, this incident is a glaring testament to the pressing need for rigorous cybersecurity measures and ongoing staff training to mitigate insider threats, which often pose as significant a risk as external attackers,” he explained.
Malik noted that a positive security culture is particularly important in healthcare institutions, given the nature of information that is being held.
A heightened level of security and safeguards should also be in place for patients in the public eye, according to Richmond-Coggan.
On March 18, the ICO published new data protection fining guidance, setting out how it decides to issue penalties and calculate fines.