Staff at the prestigious hospital at the center of a data breach of the Princess of Wales’s personal medical records may have suffered a decoy trap set by managers, experts believe.
The MoS can reveal that three months later, the London Clinic is still under investigation and the case has not yet been referred to Scotland Yard, despite Health Secretary Maria Caulfield stating in March that police had been asked to look into it.
Bosses at the hospital launched an investigation after it was claimed that at least one member of staff had tried to access personal details about Kate following her planned abdominal surgery in January.
It is a criminal offense for NHS staff or private healthcare workers to access a patient’s medical records without permission from the organisation’s data controller.
Now several data specialists have told this newspaper that, had the breach occurred, staff could have been caught through a ‘decoy’ tactic used by private hospitals that often have high-profile clients.
The Princess of Wales was receiving private medical care at the London Clinic when staff were accused of accessing her personal information following a planned abdominal operation
Research is still ongoing at the London Clinic. It is a criminal offense for NHS staff or private healthcare workers to access a patient’s medical records without consent
Health Minister Maria Caulfield has called for a police investigation into the case
To protect the health information of VIP patients, hospitals often store it in a file under a false name.
A ‘decoy’ file is then created under the celebrity’s real name. This contains false information and is regularly checked by bosses to see if wayward staff have opened it without permission.
If a breach is suspected, hospitals are required to launch their own investigation, while the Information Commissioner’s Office (ICO) investigates whether management has done anything wrong. But this process is painfully slow.
Sam Smith, of health data privacy group MedConfidential, said: ‘It is disappointing but unfortunately normal that there has been no update on the investigation three months later.’
He said data breaches are “sadly common” and added: “It’s rare that people find out when a data breach has occurred, and even rarer that they can get the evidence to prove it, and if they do, the process is still very slow. ‘
Tom Llewellyn, partner in commercial litigation and data protection at law firm Ashfords, said: ‘It could take years before action is taken against the individuals.’
He highlighted a similar case last year when a former NHS secretary was fined £648 for accessing the medical records of more than 150 patients – four years after the breaches took place.
Last month, a hospital doctor was suspended for three years after reading the health data of a woman he met on a dating app in 2021.
The London Clinic has not provided an update since the suspected breach of the Princess of Wales’s health data was reported.
The ICO told the MoS: ‘Investigations into reported data breaches can be very complex and our expert team must be given sufficient time to conduct their investigation.
To protect the integrity of an ongoing investigation, we will not provide regular updates on its progress to those not directly involved until its conclusion.”
The Met Police confirmed they were ‘not aware of any referral’ about the breach.
Kensington Palace said: ‘This is a matter for The London Clinic.’