How to handle a patient data breach

What is a patient data breach? 

A patient data breach is one of the most serious - and stressful - situations a practice manager can face. Whether it’s an email sent to the wrong recipient, unauthorised access to records, or a lost device, how you respond matters just as much as the breach itself. 

Handled well, a breach response can demonstrate professionalism, accountability, and a commitment to patient safety. Handled poorly, it can lead to regulatory fines, reputational damage, and a breakdown in patient trust. In 2025, with cyberattacks on the rise and increased scrutiny from the Information Commissioner’s Office (ICO), it’s no longer enough to hope it won’t happen. Every general practice needs a clear, rehearsed action plan. 

A breach occurs when personal or sensitive information is accessed, shared, lost, altered, or destroyed in a way that is unauthorised or accidental. This includes: 

• An email containing patient information sent to the wrong address.

• A staff member viewing records they have no reason to access.

• A lost or stolen laptop, phone, or memory stick with unencrypted data. 

• Documents left in a public area or thrown away without shredding. 

How to handle a patient data breach

It’s important to remember: even minor breaches must be logged. Not all need to be reported to the ICO, but all require investigation and learning. For a clear overview, see the ICO's guide to personal data breaches. 

Step 1: Act immediately and contain the breach 

The moment a breach is identified, the priority is to contain the situation. 

• Stop the breach if possible: Recall the email, remove shared access, or recover the item. 

• Secure evidence: Take screenshots, secure logs, or isolate compromised systems. 

• Speak to those involved: Confirm facts, but avoid speculation or blame. 

If IT systems have been compromised - for example, a cyberattack - escalate to your IT support. 

Step 2: Log the breach and notify the right people

Every breach - no matter how small - should be recorded in your practice’s Data Breach Log or incident management system. 

Notify your Data Protection Officer (DPO) promptly. They’ll support you in deciding: 

• The severity of the breach. 

• Whether the ICO must be informed (within 72 hours). 

• Whether patients should be notified. 

• What mitigation and follow-up is required. 

If your DPO is unavailable, the practice manager should take the lead, recording all actions taken. The ICO's “72 hours” guide is a helpful reference here.  

Step 3: Assess the risk to patients

Not every breach results in harm - but the risk must be assessed objectively. Consider: 

• What data was involved (clinical information, identifiers, contact details)? 

• Could the breach lead to emotional distress, identity fraud, or embarrassment? 

• Was the data encrypted or password protected? 

• How many individuals are affected? 

If the breach poses a high risk to individuals’ rights and freedoms, you are required to notify the affected individuals without undue delay. The ICO provides practical examples of breach types and responses. 

Step 4: Report to the ICO (If required)

Breaches that pose a risk to data subjects must be reported to the ICO via its online tool within 72 hours of discovery. This includes: 

• What happened and when. 

• Categories and volume of data involved. 

• Numbers of individuals affected. 

• Mitigation measures taken. 

• DPO or contact details. 

Use the official ICO breach reporting form for submission. Keep a copy for your records. Late or missed reports, without justification, may lead to enforcement action.

Step 5: Inform patients (when necessary) 

If patients are affected, honesty and clarity matter. 

• Use plain language. 

• Explain what happened and how it affects them. 

• Detail what you’ve done to contain it. 

• Offer next steps - for example, a contact number, identity protection advice, follow-up. 

Patient trust can often be preserved - even strengthened - through transparent and timely communication. 

Step 6: Learn and prevent future incidents 

Every breach should lead to reflection and improvement. Once the immediate risk is contained: 

• Debrief with involved team members.

• Complete a Root Cause Analysis or Significant Event Audit. 

• Update policies or training as needed. 

• Review your access controls and device security. 

• Share anonymised learning at PCN level where appropriate. 

Final thought: Transparency builds trust 

Patients don’t expect perfection. They expect honesty, responsibility, and commitment to fixing mistakes. 

How you respond to a breach can either escalate harm or demonstrate care and competence. The best defence is not just prevention, but preparation. 

For more information and reporting guidance, visit the ICO’s Personal Data Breach Portal.