INFORMATION COMMISSIONER'S OFFICE

GP surgery reprimanded after excessive medical history of terminally ill patient sent to insurer

By Liz Wells 04 February 2026

The Information Commissioner’s Office (ICO) has reprimanded Staines Health Group for sending excessive medical details about a terminally ill patient to their insurance company.

GP surgery reprimanded after excessive medical history of terminally ill patient sent to insurer

A patient at the NHS GP surgery was diagnosed with a terminal illness and made a claim to their insurer. The insurer, on behalf of the patient, subsequently requested that five years of medical history be sent to the patient to review, before being sent to the insurer in order to progress the claim.

However, instead of five years of medical history being sent to the patient, Staines Health Group sent 23 years of medical records direct to the insurer. The patient believed the excessive disclosure of unnecessary medical records led to a reduction in the payout of their claim.

Failures of Staines Health Group that led to the incident included a lack of written process for staff to follow when handling insurance requests and a lack of regular refresher data protection training for staff. 

Following the incident, Staines Health Group took various steps, including:

·       Completing a significant event report, which aimed to establish the root cause of the disclosure email and what lessons could be learned from the incident

·       Drafting a written document that staff can follow when handling insurance requests

·       Updating its procedure for handling insurance provider requests to include additional training and a sign-off sheet

·       Giving the member of staff responsible a warning and placing them under supervision for six months.

·       The reprimand sets out the mistakes made in the handling of the request.

David Doodson, ICO interim head of investigations, said: ‘All personal information must be handled with care but health records – sensitive personal data – require particularly robust measures. This is because the loss of this kind of data can have distressing consequences for those involved. 

‘We recommend other organisations take note of the lessons learned from the mistakes of Staines Health Group in this case.'

The lessons learned for other organisations include:

  • The need for written processes to be in place to support staff when handling personal data
  • Consider the need for a quality assurance process when sharing personal data externally
  • Provide up-to-date and regular data protection training for staff.

Tags

Popular articles by Liz Wells

  1. NHS services in Barnsley set to receive AI boost
  2. Kent and Medway ICB appoints chief finance officer
  3. BREAKING NEWS: Resident doctors leader 'optimistic' new mandate for strike action won't be used
  4. NHS offering support staff more career opportunities

Related Articles

WORKFORCE
Serious shortfall in stroke consultants revealed

Serious shortfall in stroke consultants revealed

By Lee Peart 07 January 2026

A serious shortfall in NHS stroke consultants has been revealed, with 70% of services in England having at least one unfilled post and 10% of the workforce c...

INTEGRATED CARE

Call for improved integration between primary and secondary care

By Lee Peart 17 December 2025

The Royal College of Physicians (RCP) and the Royal College of General Practitioners (RCGP) have laid out practical steps for improved integration between pr...

DHSC

NHS failed to recover over £250m from overseas visitors

By Lee Peart 18 September 2025

The NHS failed to recover over £250m from overseas visitors between 2021 and 2024, a new report has revealed.

Popular articles by Liz Wells

  1. NHS services in Barnsley set to receive AI boost
  2. Kent and Medway ICB appoints chief finance officer
  3. BREAKING NEWS: Resident doctors leader 'optimistic' new mandate for strike action won't be used
  4. NHS offering support staff more career opportunities