INFORMATION COMMISSIONER'S OFFICE

GP surgery reprimanded after excessive medical history of terminally ill patient sent to insurer

By Liz Wells 04 February 2026

The Information Commissioner’s Office (ICO) has reprimanded Staines Health Group for sending excessive medical details about a terminally ill patient to their insurance company.

GP surgery reprimanded after excessive medical history of terminally ill patient sent to insurer

A patient at the NHS GP surgery was diagnosed with a terminal illness and made a claim to their insurer. The insurer, on behalf of the patient, subsequently requested that five years of medical history be sent to the patient to review, before being sent to the insurer in order to progress the claim.

However, instead of five years of medical history being sent to the patient, Staines Health Group sent 23 years of medical records direct to the insurer. The patient believed the excessive disclosure of unnecessary medical records led to a reduction in the payout of their claim.

Failures of Staines Health Group that led to the incident included a lack of written process for staff to follow when handling insurance requests and a lack of regular refresher data protection training for staff. 

Following the incident, Staines Health Group took various steps, including:

·       Completing a significant event report, which aimed to establish the root cause of the disclosure email and what lessons could be learned from the incident

·       Drafting a written document that staff can follow when handling insurance requests

·       Updating its procedure for handling insurance provider requests to include additional training and a sign-off sheet

·       Giving the member of staff responsible a warning and placing them under supervision for six months.

·       The reprimand sets out the mistakes made in the handling of the request.

David Doodson, ICO interim head of investigations, said: ‘All personal information must be handled with care but health records – sensitive personal data – require particularly robust measures. This is because the loss of this kind of data can have distressing consequences for those involved. 

‘We recommend other organisations take note of the lessons learned from the mistakes of Staines Health Group in this case.'

The lessons learned for other organisations include:

  • The need for written processes to be in place to support staff when handling personal data
  • Consider the need for a quality assurance process when sharing personal data externally
  • Provide up-to-date and regular data protection training for staff.

Tags

Popular articles by Liz Wells

  1. Government must act on pay for 'neglected' NHS staff groups
  2. NHS England job cuts to hit women and BAME workers hardest, claims union
  3. BMA to ballot senior doctors in England for industrial action
  4. Humber Health Partnership wins funding for emergency vehicle charging facilities

Related Articles

DIGITAL
Avoiding revenue delays through automation

Avoiding revenue delays through automation

By Lee Peart 16 June 2026

Robin Beetge, financial automation advisor, RecVue explains how healthcare providers can reduce revenue delays through process automation

DIGITAL

BREAKING NEWS: Single patient record included in King's Speech reforms

By Lee Peart 13 May 2026

A single patient record joining up health and social care records is part of the NHS Modernisation Bill announced in The King’s Speech.

DIGITAL

AI regulatory framework programme for medical devices secures funding

By Lee Peart 09 April 2026

An MHRA programme to develop an AI regulatory framework for medical devices has secured £3.6m in funding from the DHSC.

Popular articles by Liz Wells

  1. Government must act on pay for 'neglected' NHS staff groups
  2. NHS England job cuts to hit women and BAME workers hardest, claims union
  3. BMA to ballot senior doctors in England for industrial action
  4. Humber Health Partnership wins funding for emergency vehicle charging facilities