The Information Commissioner’s Office (ICO) has launched an investigation after medical records relating to personal injury claims were found in a skip outside a law firm’s former office in St Helens, Merseyside.
The documents, belonging to Woodwards Solicitors, reportedly included details of appointments at local hospitals.
They also included people’s home addresses, phone numbers, NHS numbers, dates of birth, their usual GP, and descriptions of symptoms and treatments relating to a variety of injuries.
Tim Wood, director of Woodwards, told Legal Futures he had reported the data breach to the Information Commissioner’s Office, which was investigating.
“It shouldn’t have happened,” he said. “We are fastidious in our approach to data protection, with a shredding company we’ve used for years.”
Mr Wood said the firm had moved out of the office 18 months ago to a new one on the same street, because it needed more space. He said he believed that the only thing left behind was rubbish, which needed to be cleared before the lease on the old office expired in the autumn.
“Guys were coming in one weekend and filling a skip,” he said. “The box containing the documents was sealed. They must have assumed it was rubbish and dumped it in the skip with the rest.
“Unfortunately the contents were not checked. The damage was minimised because the person who found them immediately reported it to us within the hour.
“It was a genuine error and a very unfortunate mistake. Happily the records did not fall into the wrong hands and the damage was limited. All I can do is ensure it never happens again.”
A spokeswoman for the ICO said: “We are aware of an incident involving Woodwards and we are making enquiries.”
Mr Wood said he had also reported the data breach to the Solicitors Regulation Authority (SRA). A spokesman for the SRA confirmed this.
In a separate development, the Retail Motor Industry Federation (RMI) said “market intelligence” from a number of members had shown that drivers’ personal data, including phone numbers and addresses, appeared to have been accessed by “third parties” not involved in repairing the cars.
The spokesman said that for several months, RMI Bodyshops – which is comprised of the National Association of Bodyshops and the Vehicle Builders and Repairers Association – had been investigating a “potentially serious breach of repairer management systems confidentiality and the apparent release of personal data to third party legal firms and accident management companies”.
Jason Moseley, executive director at RMI Bodyshops said: “As part of an internal investigation, one of the bodyshops involved entered fictitious data into the system to attempt to draw out a reaction.
“Within a few hours of this data entry, a call was received from an accident management company trying to leverage a compensation claim.
“RMI Bodyshops and its members informed the necessary authorities and have been working together with them behind the scenes.”
Jonathan White, legal director of National Accident Helpline, said the bodyshop data breaches gave a “real insight” into the unscrupulous activities affecting the personal injury market.
Following the revelations, there needed to be a “full investigation as to whether this data is being illegally sold on as a result of the actions of rogue employees, hacking or, more worryingly, as a revenue generation activity by those capturing the data”, he said.