ICO Cautions Healthcare Worker After Princess of Wales Incident

The UK’s data protection watchdog has decided not to purse a criminal investigation against a former healthcare worker who tried to access and sell the medical records of the Princess of Wales.

The Information Commissioner’s Office (ICO) began a criminal investigation into an insider at the London Clinic back in 2024 after reports emerged following the royal spending time there for abdominal surgery.

It’s believed that the nurse was struck off following the incident.

“Following a full assessment under the Code for Crown Prosecutors and the ICO’s Prosecution Policy, the ICO issued a now former healthcare professional from London with a formal caution in relation to an offence under section 170(5) of the Data Protection Act 2018,” the ICO said in a statement on June 17.

“The conduct involved the deliberate misuse of highly sensitive personal information and an offer to disclose it for financial gain, representing a clear breach of trust.”

Read more on the ICO: ICO Prepares £6m Fine for NHS Supplier Advanced

The ICO said that a caution for the individual was the “appropriate and proportionate enforcement response.”

The regulator added that it considered whether there were any wider organizational issues at play here, but decided that any failings did not meet the threshold for enforcement action.

“People should be able to trust that the personal information they're giving to healthcare settings is safe and protected from exploitation. When this trust is broken, it's right that the law allows us to take action,” said ICO executive director for regulatory supervision, Ian Hulme. 

“We will not hesitate to pursue criminal prosecution where it is necessary and proportionate to do so.”

Healthcare Under the Spotlight

It’s not the first time that healthcare insiders have been caught abusing their position.

In 2010, an NHS worker pleaded guilty to seven counts of breaching the Computer Misuse Act 1990 by illegally accessing the medical records of patients.

Medical information is both highly sensitive and monetizable, which is why it’s classed as “special category” data by the GDPR.

A report from 2021 revealed that over a third (35%) of global healthcare organizations suffered cloud data theft by malicious insiders in the previous year.

According to a recent study, 42% of organizations have reported an increase in threats from malicious insiders over the past year.