“People should be able to trust that the personal information they're giving to healthcare settings is safe and protected from exploitation. When this trust is broken, it's right that the law allows us to take action,” said ICO executive director for regulatory supervision, Ian Hulme.
The ICO’s decision: a formal caution under section 170(5)
On June 17 the Information Commissioner’s Office (ICO) announced it had issued a formal caution to a now former healthcare professional from London in relation to an offence under section 170(5) of the Data Protection Act 2018. The ICO said the action followed “a full assessment under the Code for Crown Prosecutors and the ICO’s Prosecution Policy.” The regulator described the conduct as “the deliberate misuse of highly sensitive personal information and an offer to disclose it for financial gain, representing a clear breach of trust.”
What the case involved: alleged access and an offer to sell royal medical records
The investigation began in 2024 after reports emerged following the Princess of Wales spending time at the London Clinic for abdominal surgery. The ICO’s statement makes clear the probe centred on an insider who tried to access and sell the medical records of the Princess of Wales. It is believed that the nurse involved was subsequently struck off following the incident. Rather than pursuing a criminal prosecution, the ICO judged a caution to be the “appropriate and proportionate enforcement response.”
Organizational accountability: assessed but not pursued
The ICO also said it examined whether there were wider organizational failings at play but concluded that any shortcomings “did not meet the threshold for enforcement action.” That assessment separates individual misconduct—deemed serious enough for a formal caution—from systemic breaches that would trigger regulatory penalties against the healthcare provider itself.
Healthcare insider threats in context
The ICO framed this case against a backdrop of recurring insider misuse of medical data. The watchdog reminded readers that medical information is classed as “special category” data under the GDPR because it is both highly sensitive and monetizable. The announcement recalled an earlier case from 2010 in which an NHS worker pleaded guilty to seven counts of breaching the Computer Misuse Act 1990 by illegally accessing patient records.
The announcement also referenced sector-wide research: a 2021 report found that over a third (35%) of global healthcare organisations had suffered cloud data theft by malicious insiders in the prior year, and a more recent study reported that 42% of organisations have seen an increase in threats from malicious insiders over the past year. Those figures underline the broader pattern of insider risk the ICO’s statement situates this incident within.
What this means for patients, healthcare organisations, and regulators
- Patients and the public: Expect heightened sensitivity about trust. The ICO’s language—calling the conduct a “clear breach of trust”—signals regulators recognise the reputational and privacy harms that follow insider access to “special category” health data.
- Healthcare organisations and employers: Providers will need to watch internal controls and staff access closely; the ICO’s review of potential organisational failings, even without enforcement, demonstrates regulators will scrutinise institutional safeguards when insiders breach trust.
- Regulators and prosecutors: The ICO’s use of a formal caution, after applying the Code for Crown Prosecutors and its own Prosecution Policy, illustrates how enforcement can vary by case—ranging from caution to criminal prosecution depending on necessity and proportionality.
The ICO’s action in this case closes one chapter: an individual has been formally cautioned and, according to the regulator, institutional failures did not reach the level that would trigger enforcement. But the agency’s statement that it “will not hesitate to pursue criminal prosecution where it is necessary and proportionate to do so” leaves the broader question open for the sector: how will thresholds for individual versus organisational enforcement be applied as insider threats to health data continue to be documented?
Original story: https://www.infosecurity-magazine.com/news/ico-cautions-healthcare-worker/
