freephone: 0800 954 0243

GP Surgery Sends Medical Records To Insurer In Contravention of Consent

GP Surgery Sends Medical Records To Insurer In Contravention of Consent


Mr Matthew McConville, the Head of our specialised Data Breach Department at Irvings Law has successfully represented a client in a data breach compensation claim against Manor & Park Group Practice. Mr McConville’s client wishes to remain unnamed so will be referred to as ‘Mr A’ for the purposes of this case report.

Mr A applied for a mortgage protection policy from Zurich Insurance. In order to consider his application, Zurich Insurance required sight of his GP records from Manor & Park Group Practice and as such, they were then sent a request for Mr A’s GP records via the IGPR software. Subsequently, Mr A was sent the said medical consent form which he later signed and confirmed that he wanted to see his medical records before Manor & Park Group Practice released them to Zurich Insurance.

Mr A then received a letter from Zurich Insurance confirming that they had considered all of the information submitted in support of his application and rejected it because of the contents of his medical records. Despite Mr A’s signed consent form indicating that he wished to see his medical records before they were sent to Zurich Insurance, Manor & Park Group Practice did not adhere to this and following the same, he sought the expert assistance of Irvings Law to take things further for him.


Without hesitation, Mr McConville offered to act for Mr A on a no win, no fee basis and once instructed, Mr McConville lodged a complaint to Manor & Park Group Practice as well as the ICO. In response to the same, Manor & Park Group Practice confirmed that their surgery administrator did not realise that she had not un-ticked the already prefilled “yes” button to “no” so Mr A’s file was uploaded and automatically sent to Zurich Insurance without his prior review in line with the consent that he provided to them. Manor & Park Group Practice apologised sincerely for the said error and following this investigation, they have changed the way in which they process requests for medical information to ensure that human errors of this nature do not occur again. Further to this the ICO concluded that Manor & Park Group Practice had not complied with their data protection obligations.

Following this, Mr McConville sent a Letter of Claim to as they inherently failed to adequately keep Mr A’s personal information secure and confidential which resulted in details of Mr A’s personal and sensitive information being disclosed to Zurich Insurance without his knowledge and consent. Specifically, Mr McConville alleged that Manor & Park Group Practice had breached / invaded Mr A’s privacy under the Human Rights Act, had breached the Data Protection Act 2018/the General Data Protection Regulation (GDPR) as well as confidence following their misuse of private information pertaining to Mr A.

Clearly, to Mr McConville, Manor & Park Group Practice accepted that they have erroneously sent the Claimant’s medical records to Zurich Insurance without his prior review which went outside his consent to them and constitutes an unlawful processing of his said information as supported by the ICO. Further, Manor & Park Group Practice admitted that such an error was due to human error and sincerely apologised for what they had done.


Upon receipt of this Letter of Claim from Mr McConville on behalf of Mr A, Manor & Park Group Practice wished to engage in settlement discussions and settled Mr A’s case for £1,000.00 plus costs without Court proceedings needing to be served.


Posted in GDPR Case Reports

Do you have a question for us?

One of our staff members would be happy to speak to you directly. Why not give us a call?

T: 0800 954 0243
freephone: 0800 954 0243
| Website designed & hosted by Cyberfrog Design