INFORMATION COMMISSIONER'S OFFICE

GP surgery reprimanded after excessive medical history of terminally ill patient sent to insurer

By Liz Wells 04 February 2026

The Information Commissioner’s Office (ICO) has reprimanded Staines Health Group for sending excessive medical details about a terminally ill patient to their insurance company.

GP surgery reprimanded after excessive medical history of terminally ill patient sent to insurer

A patient at the NHS GP surgery was diagnosed with a terminal illness and made a claim to their insurer. The insurer, on behalf of the patient, subsequently requested that five years of medical history be sent to the patient to review, before being sent to the insurer in order to progress the claim.

However, instead of five years of medical history being sent to the patient, Staines Health Group sent 23 years of medical records direct to the insurer. The patient believed the excessive disclosure of unnecessary medical records led to a reduction in the payout of their claim.

Failures of Staines Health Group that led to the incident included a lack of written process for staff to follow when handling insurance requests and a lack of regular refresher data protection training for staff. 

Following the incident, Staines Health Group took various steps, including:

·       Completing a significant event report, which aimed to establish the root cause of the disclosure email and what lessons could be learned from the incident

·       Drafting a written document that staff can follow when handling insurance requests

·       Updating its procedure for handling insurance provider requests to include additional training and a sign-off sheet

·       Giving the member of staff responsible a warning and placing them under supervision for six months.

·       The reprimand sets out the mistakes made in the handling of the request.

David Doodson, ICO interim head of investigations, said: ‘All personal information must be handled with care but health records – sensitive personal data – require particularly robust measures. This is because the loss of this kind of data can have distressing consequences for those involved. 

‘We recommend other organisations take note of the lessons learned from the mistakes of Staines Health Group in this case.'

The lessons learned for other organisations include:

  • The need for written processes to be in place to support staff when handling personal data
  • Consider the need for a quality assurance process when sharing personal data externally
  • Provide up-to-date and regular data protection training for staff.

Tags

Popular articles by Liz Wells

  1. Heidi launches hardware for audio capture in clinical settings
  2. Scottish Government unveils plan to help patients with complex care needs live in communities
  3. Dame Gill Morgan chosen as South West regional chair
  4. West Yorkshire ICB selects new chair

Related Articles

PREVENTATIVE
Confirmed cases rise following measles outbreak

Confirmed cases rise following measles outbreak

By Lee Peart 20 February 2026

The UKHSA has confirmed 60 cases of measles in north London following an outbreak.

SUPPLY CHAIN

Bone cement delays to significantly impact joint operations

By Lee Peart 20 February 2026

NHS trusts have warned joint replacement operations may be significantly impacted by a global delay in bone cement supplies.

WORKFORCE

Serious shortfall in stroke consultants revealed

By Lee Peart 07 January 2026

A serious shortfall in NHS stroke consultants has been revealed, with 70% of services in England having at least one unfilled post and 10% of the workforce c...

Popular articles by Liz Wells

  1. Heidi launches hardware for audio capture in clinical settings
  2. Scottish Government unveils plan to help patients with complex care needs live in communities
  3. Dame Gill Morgan chosen as South West regional chair
  4. West Yorkshire ICB selects new chair