Information risk and impacts to individuals following personal data breaches

12 June 2025

Sharing with colleagues Confidentiality Personal health records Comms with patients or service users UK GDPR and data protection

Use of a digital tool to support and optimise high-risk asthma patients in an NHS health and care partnership

For guidance on what a personal data breach is and the steps that need to be taken if a breach occurs including risk assessing and reporting, please read our guidance on Personal Data Breaches.

This guidance provides more detailed information governance (IG) advice on the potential negative impacts or risks to individuals when different types of information are breached. It explains the actions that patients, health and care workers and IG professionals may need to take in the aftermath of a breach to limit its effects on impacted individuals and their information.

I'm a patient/service user - what do I need to know?
I work in a health and care organisation - what do I need to know?
I'm an IG Professional - what do I need to know?

Guidance for patients and service users

A personal data breach is when the personal information that an organisation holds about you is accidently or unlawfully:

lost
destroyed
accessed
altered
becomes unavailable
disclosed to someone who should not have it

Personal information may include confidential patient information which you have provided to health and care organisations such as your:

name
date of birth
contact information
health and care information, for example the notes taken by health and care professionals during a consultation, correspondence and images

In many cases data breaches do not lead to a significant risk to the people whose information is breached, because action is quickly taken to limit the impact. However, in some cases, if your information has been involved in a breach, depending on the type of personal data breach and the information involved, there could be a risk of a negative impact on you. This could include:

being targeted by scams, phishing attacks or other crime
being the victim of identity fraud
being discriminated against
facing reputational damage
your care being impacted, for example, if tests results become unavailable

Health and care organisations will take steps to limit the risk to people whose information is breached. They will investigate the details of the breach to decide how likely it is that any of the risks above may happen. Where they believe there is a high risk to you, they will let you know. Health and care organisations will inform you in different ways depending on the situation for example this could be a letter or if there are many people impacted, there may be a notice on the website of the organisation caring for you.

If you are told that your information has been involved in a data breach, there are some actions you can take to protect yourself. This includes:

be vigilant to scam contact (by letter, phone, email) - the National Cyber Security Centre phishing scams guidance describes how to spot scam emails, texts, websites and calls
report scam mail received by post to Royal Mail
report scam calls, emails and texts to Action Fraud and/or the Information Commissioner’s Office
report stolen or copied details to the relevant organisation such as your bank, passport office or online account administrator so that they can review security or issue you with new credentials where needed
check for unusual or suspicious activity on any accounts, such as online accounts or bank accounts, where your log-in or access information has been involved in a breach - for example, check for transactions or communications that you do not recognise and report these to the organisation which manages the account
change passwords for your online accounts
if you suspect a risk to your safety, contact the police

The organisation who are managing the breach of information may suggest further action you can take.

The National Cyber Security Centre has produced data breach guidance for individuals and families in the event of a potential personal data breach including advice on how to protect yourself, what to be alert to and how to protect yourself.

Guidance for healthcare workers

For guidance on steps that need to be taken if a breach occurs see our guidance on personal data breaches.

Personal data breaches and risks to individuals will be assessed by your local IG team, data protection officer, Caldicott guardian or by the person in your organisation who is responsible for data protection and security.

You may be asked to advise on the vulnerabilities of certain individuals to allow the relevant people to make an assessment on the level of risk a breach poses to them.

Where a breach has a clinical impact, for example, because test results are unavailable due to a system outage, you may be asked to advise on the extent of clinical implications and should work closely with your wider organisation and incident response teams to mitigate any risks wherever possible.

You may also be asked to consider and advise on how an individual may be impacted by being notified of a data breach, for example, if this is likely to cause them significant distress. Your insight into the care and circumstances of the individual may be requested to inform the assessment of this risk to the individual, which may also involve discussion with your Caldicott guardian.

In certain circumstances, such as where the person impacted by the breach is considered vulnerable or there are other relevant circumstances, it may be more appropriate for a health or care professional to lead on communicating with individuals or their family/friends about a data breach. Where this is the case your IG team, or the person with responsibility for data protection in your organisation, will work closely with you to support the communication of appropriate information.

A personal data breach can cause significant distress to individuals and their families/friends. It is important that they are supported at that time. Those responsible for data protection within your organisations should be able to help you to understand the support available to individuals following a breach. Where a breach poses a risk to your relationship with an individual and potentially their care, for example if a patient or someone receiving care is refusing care because of a loss of trust, you should discuss this with your IG/data protection support and/or Caldicott guardian.

Further guidance for staff in adult social care can be found in the Digital Care Hub data breach guidance.

Guidance for IG professionals

This guidance provides information on the key considerations and potential risks involved with the breach of certain information, as well as actions you may be able to take to reduce risk. For larger organisations, some of these actions are likely to require the involvement of colleagues from other areas such as information technology (IT), cyber security, emergency preparedness, resilience and response (EPRR), business continuity and your senior management team, as well as suppliers of affected systems.

For advice on what to do if there is a personal data breach including how to report and decide on the severity of the breach see our guidance on personal data breaches.

For NHS organisations experiencing urgent cyber security issues that require immediate advice and guidance, call the NHS data security helpline on 0300 303 5222 (available 24 hours per day). Even if an incident is not expected to meet the Network and Information Systems (NIS) regulations incident thresholds or if it is unclear, seek support voluntarily from the NHS data security helpline as soon as practically possible so that the incident can be contained and further impacts mitigated. Where appropriate, NHS Cyber Operations will work with the National Cyber Security Centre to manage and resolve incidents.

For adult social care organisations, please follow the data breach guidance available as part of Better Security, Better Care. If you require technical assistance, please report this to the National Cyber Security Centre.

Risk factors

The expandable fields below describe risks associated with the breach of certain types of information. Whether these risks apply may depend on a number of factors. These should be considered when assessing whether a risk described below is relevant, and the level of the risk.

Who has accessed the information and what are their intentions?

The identity of the party who have accessed the data and their intentions for accessing the data will impact the level of risk. For example:

if a member of staff emailed information to the wrong colleague, and the recipient colleague immediately deleted the email, the risk to any individuals would reduce as a result
if a member of staff intentionally accesses information about a person in order to contact them for personal reasons, the risk of negative consequence materialising may increase
if the access to the information was by a malicious third party intending to publish the information online, the risk of a negative consequence materialising may increase
if the information has been published somewhere where it can be accessed more widely, for example on the dark web, then the risks of further access by third parties and negative impact may greatly increase

Is the access ongoing, or have copies been taken?

You may need to consult with technical experts or teams to determine whether access is ongoing or not (for example, whether exfiltration is continuing). Whether the party who has accessed the data continue to have access to the information will impact the possibility of negative outcomes. For example:

if the access or disclosure was a one-off and the party who has accessed the data (such as a malicious third party or a member of staff) no longer has access and was not able to take copies, they are unlikely to be able to use this information further therefore the risk may reduce
if the third party continue to have access to or a copy of the information, depending on the information, the risk may increase

Is the source of the information known?

The source of the information may reveal information about the data subject that is not explicitly contained in the breached data sets, and this would need to be considered in the risk assessment. For example:

if the data breached only contains a name and an address, this may be assessed as low risk - however, if the source of the data is known to be a fertility clinic for example, then there may be a greater risk to the individual if the breach discloses their engagement with this setting

Who is the information about?

Are there any special circumstances about the individual who the data relates to which may increase or reduce the risk. For example:

in the case of a child who has been removed from their parents, the breach of an address may present significantly greater risk of harm than in other cases
in the case of a vulnerable adult, they may be at higher risk of being susceptible to scamming and fraud than an adult who is not considered vulnerable
in the case of a high-profile individual, breached information may attract more attention and have a higher chance of causing reputational damage or distress

How sensitive is the information?

The information itself may be particularly sensitive in light of its nature. For example:

not all clinical information carries the same level of sensitivity - information relating to fertility treatments or sexually transmitted diseases are typically more sensitive than a routine blood pressure test or a COVID test result
for adult social care, you may hold additional information about a person receiving care which is particularly sensitive, such as bank account details or access codes to their home

Risks and mitigations by dataset

This section provides further information on the risks associated with the loss or alteration of particular data sets. The mitigations listed here are specific to the immediate reduction of risk to the individual. Depending on the size and structure of your organisation, these may need to be undertaken by different departments within an organisation. Whether or not these risks apply may be subject to the risk factors above. For further information on assessing risks and the severity of a breach, see our guidance on personal data breaches.

These lists are not exhaustive – particulars of a breach can present a variety of different risks. It is important that each breach is assessed on a case-by-case basis.

Universal identifiers such as name and date of birth

Associated risks

The breach of one identifier alone does not typically present significant risk, because there may be multiple people with that same identifier - for example, the same name or date of birth.

When released together, these identifiers serve to make breached information identifiable, which inherently increases the potential risk.

The risk to individuals becomes much greater when these identifiers are released alongside other datasets.

If key identifiers are lost or altered on an individual's record this may impede the services ability to locate records and confirm the identity of the individual when they are engaging with the service.

Mitigating actions

Immediate action should be taken to attempt to contain the risk. This may include, securing or retrieving information, as well as removing access from the party who accessed the information. If successful, this should greatly reduce risk.

If the information has been lost or altered, you may need to consider undertaking an exercise to restore or amend inaccurate information. This may include technical solutions or contacting individuals to confirm their details.

Where the breach includes other information, see relevant section for suggested mitigations.

Contact information such as address, phone numbers or email address

Associated risks

Individuals may be targeted by phishing scams (by phone call, text, email or post).

Disclosure of contact information to the wrong person may cause significant distress to the data subject and possibly a risk of physical or mental harm if there are safeguarding considerations. (See Risk Factors: who is the information about?)

If contact information such as name and address are altered or lost it may impede the service’s ability to contact the individual.

If information is altered, there is a risk that services may send correspondence to the incorrect address causing a disclosure breach.

Mitigating actions

If there is high risk to the individual, you will be required to notify them of the breach so that they can take action to protect themselves.

If there is a high risk and the individual whose information has been breached does not have competency or has authorised someone else to act on their behalf (such as a carer, parent or guardian) it may be appropriate to notify these people so that they can support the individual and take action to protect them.

Where contact information is known or suspected to have been made inaccurate, sending communication such as emails, letters or texts should be halted until details can be confirmed, alternative communication methods may need to be explored so that there is not an impact on care and you are not prevented from notifying individuals of the breach if necessary.

Identification documents such as passports or driving licence

Associated risks

Breach of identity documents may leave individuals vulnerable to identity theft or fraud.

Identification documents may be used to open bank accounts or to apply for credit cards, which could impact individuals' finances and credit scores (see data set: financial data).

Depending on your purpose for holding this information, loss or alteration of this information may prevent you from conducting certain functions.

Mitigating actions

If there is high risk to the individual, you will be required to notify them of the breach so that they can take action to protect themselves.

If notifying individuals, they should be advised to increase vigilance to fraudulent activity and report breached identification documents to the relevant organisation.

Health and care records including health data and other special categories of information under UK GDPR

Associated risks

Special category data are types of information which are typically more sensitive and are afforded greater protections under data protection laws. Health and care records may contain any of the following special categories of information:

health data
data about a person's racial or ethnic origin
data about a person's religious or philosophical beliefs
genetic data
biometric data
data about a person’s sex life
data about a person’s sexual orientation

A breach of this information can have wide ranging implications for individuals, for example:

they may face reputational damage, discrimination or harassment based on information shared from their health record
they may be targeted by ‘bad actors’ who identify vulnerabilities from their health record and target them with scams, blackmail or other crime

There is a significant risk of distress to the individual connected to the release of special category information which may be considered highly sensitive depending on its nature and the circumstances of the individual (see Risk Factors: who is the information about? and Risk Factors: how sensitive is the information?).

The release of special category information may also result in a loss of confidence in the service and may therefore have clinical implications. For example, if an individual chooses not to receive treatment anymore because they do not trust the service to keep their information safe.

If a health and care record is lost or no longer considered to be accurate, there may be a risk to the ongoing care of the individual.

If the information breached does not include explicit health information, but still includes information from which health data could be inferred, risks are likely to apply as above. For example, health information could be inferred from the source of the data (See Risk Factors: Is the source of the information known?).

Mitigating actions

If there is high risk to the individual, you will be required to notify them of the breach so that they can take action to protect themselves.

If notifying individuals, they should be advised of potential impact and offered or signposted to appropriate support.

If notifying individuals, they should be advised to increase vigilance to scams, blackmail or other crime and where to report these if they occur.

You should consider whether health or care professionals involved in the care of the individual should be informed so that they can support the individual and prevent any impact to care.

Any immediate potential impact to care (such as missed appointments or medications) should be assessed and arrangements made to limit this impact.

Safeguarding information such as reports, assessments or other documentation associated with the protection of individuals at risk

Associated risks

There is a significant risk of distress and triggering of trauma to the data subject connected to the release of information which relates to statutory safeguarding, neglect, harm, exploitation, abuse or violence, some of which they themselves may not be aware of or which they may have shared with the highest expectation of confidentiality. This may apply to victims, survivors and alleged or convicted perpetrators of abuse.

There may be a risk of serious physical or mental harm to the individual where the release of information about an abuse situation may lead to an escalation or to an abuser being able to locate a victim or survivor.

Individuals may be targeted by bad actors who identify vulnerabilities from safeguarding records.

The release of this information may result in a loss of confidence in the service and may therefore have an impact on the services ability to engage with, protect or provide services to the individual.

Information relating to an alleged or convicted perpetrator of abuse may equate to the release of criminal offence data (see data set: criminal offence information).

Mitigating actions

If there is high risk to the individual, you will be required to notify them of the breach so that they can take action to protect themselves.

If notifying individuals, they should be advised of potential impact and offered or signposted to appropriate support.

If notifying individuals, they should be advised to increase vigilance to scams, blackmail or other crime and where to report these if they occur.

You should consider whether professionals involved in the care of the individual should be informed so that they can support the individual and prevent any impact on care.

Criminal offence information including allegations, offences and convictions

Associated risks

Data subjects whose criminal offence data is released may face reputational damage, harassment or unfair treatment based on information shared.

There is a significant risk of distress to the data subject connected to the release of criminal offence data.

Release of criminal offence data may impact an individual's relationships, employment and living arrangements.

Bad actors may target individuals with blackmail under threat of further release.

Mitigating actions

If there is high risk to the individual, you will be required to notify them of the breach so that they can take action to protect themselves.

If notifying individuals, they should be advised of potential impact and offered or signposted to appropriate support.

If notifying individuals, they should be advised to increase vigilance to scams, blackmail or other crime and where to report these if they occur.

You should consider whether professionals involved in the care of the individual should be informed so that they can support the individual and prevent any impact on care.

Financial information such as bank details, sort codes and account numbers

Associated risks

Disclosure of or access to sort codes, account numbers, long card numbers, card expiry dates and banking security codes may put the individual at immediate risk of fraud or financial crime.

The impact of fraud and financial crime may include:

a significant loss of income or savings
a deteriorated credit score
significant work clearing up loans or purchases
having to cancel credit or debit cards, close bank accounts and open new ones

Breaches may have further financial implications on the individual if, as a result of lost or incorrect banking information, they do not receive payments owed to them or are unable to access funds.

Mitigating actions

If there is high risk to the individual, you will be required to notify them of the breach so that they can take action to protect themselves.

If notifying individuals, they should be advised to increase vigilance to fraudulent activity and report breached finance information to their banks so that they can put additional safeguards in place and change security information where appropriate.

If the payment details held by your organisation are known to be incorrect, you may choose to suspend payments to avoid these going to the wrong people.

If your ability to make payments to individuals is affected, you must consider how to avoid impact on the individual, such as organising for alternative payment methods as soon as possible.

Credentials for IT systems, apps or online accounts

Associated risks

Where credentials (such as usernames and passwords) for system accounts are breached there is an additional risk to the information held on, or accessible through, those accounts (see relevant data sets for risk associated with different types of information that may be stored in online accounts).

There is also a risk to other systems where credentials for one can be used to gain access to another, for example, a breach of email credentials is likely to allow bad actors to access multiple other systems or accounts registered with that email address by requesting password changes or contacting account administrators.

Similarly, if an individual has used the same password for multiple accounts, breach of the credentials of one may allow easy access to multiple others.

There is a risk to the friends, family, colleagues and other contacts of those with breached credentials, as the bad actor may impersonate the individual to gain access to other accounts or carry out spear phishing attacks.

There is a risk that the individual will not be able to access their accounts, impacting their personal business or employment.

Mitigating actions

If the system for which the credentials have been breached are controlled by your organisation, you may be able to secure data or limit impact by:

resetting credentials (forcing password changes)
limiting or blocking account access
remotely wiping accounts (if the information can be backed up elsewhere)
implementing multi-factor authentication (MFA)

If the account is independently managed (for example a personal email) the individual should be informed so that they can take measures to protect themselves and others. Measures they can take themselves may include:

changing their passwords to online accounts
contacting account administrators to help secure accounts
informing family and friends of the breach in case of scam contact from the account
increasing their vigilance to unauthorised activity on their accounts
reviewing what other information might be accessible through their accounts and taking appropriate action (for example if the online account held banking information, contacting their bank)

NHS logins/NHS app

Associated risks

The risk presented by unauthorised access to an individual's NHS app or login can differ significantly depending on the level of app integration with the GP health record – in each case of unauthorised access, the individual instance of the app and the features available to them would need to be considered.

Risks may include:

access to individuals' clinical information
access to identifiers and contact information
unauthorised individuals may be able to book appointments or order repeat prescriptions
access to correspondence between health care professionals and the individuals

Mitigating actions

Instances of suspected or confirmed unauthorised access to NHS app or login accounts should be reported to the National Service Desk (NSD) by calling 0300 303 5035 or by emailing ssd.nationalservicedesk@nhs.net. To secure accounts, the NSD can:

disable logins
delete or cleanse accounts
block registration attempts

Access codes, building identification passes or other information which would allow access to restricted buildings/areas

Associated risks

A breach of codes or information which allows access to restricted buildings (including for example care homes, patient homes or offices) may pose a risk to the physical safety of those working or residing in those buildings.

There may be a risk that any information held in those locations could be inappropriately accessed.

Depending on the nature of the building, individuals or organisations may be at risk of theft or other crime.

These risks may be further stressed by vulnerability of individuals living in buildings that typically have access codes (such as care homes or private homes with visiting carers). See Risk Factors: Who is the information about?

Mitigating actions

If there is high risk to the individual, you will be required to notify them of the breach so that they can take action to protect themselves.

If the buildings and codes/passes are managed by your organisation, you may be able to limit impact by:

changing building codes or re-issuing passes
informing employees or residents to increase vigilance to unauthorised entry to buildings and what action they should take if they suspect unauthorised entry
implementing temporary measures such as on-site security

If the codes are not managed by your organisation, the responsible organisation or individuals should be informed so that they can take measures to protect themselves and others. Measures they can take may include any of those detailed above.

Employment information including performance and sickness records, EDI data, references and salary

Associated risks

Employment records may contain special categories of information such as:

health data (including sickness records and information collected for the purpose of reasonable adjustments)
data about a person's racial or ethnic origin
data about a person's religious or philosophical beliefs
data about a person’s sexual orientation

Where breached employment information relates to health, see data set: clinical information for further risks to consider.

An access or disclosure breach of this information can have wide ranging implications for individuals, for example:

they may face reputational damage, discrimination or harassment based on this information
they may be targeted by ‘bad actors’ who identify vulnerabilities from this information and target them with scams, blackmail or other crime

There is a significant risk of distress to the data subject connected to the release of special category information which may be considered highly sensitive depending on its nature and the circumstances of the individual (see Risk Factor: who is the information about? and Risk Factor: how sensitive is the information?).

The release of special category information may also result in a loss of confidence in the organisation and may damage employee/employer relations.

There is a risk of reputational damage and embarrassment to individuals when information relating to performance is released to colleagues.

If an employment record is lost or no longer considered to be accurate, there may be a risk to the ongoing management of the employee.

Employment data may also include confidential records about a person's wellbeing and personal circumstances and the release of this information may cause significant distress to an individual.

There is a risk of damaging trust with third parties where confidential references are released, as well as a risk of negative repercussions on the third party if the subject of the reference is unhappy with the content.

Salary information may be considered contentious and pose risks as above to the individual.

If the employment data includes bank details, see data set: financial information for further risks to consider.

Mitigating actions

If there is high risk to the individual, you will be required to notify them of the breach so that they can take action to protect themselves.

You should consider whether individuals involved in the management of the individual should be informed so that they can support the individual and prevent any impact at work.

If notifying individuals, they should be advised of potential impact and offered or signposted to appropriate support.

If notifying individuals, they should be advised to increase vigilance to scams, blackmail or other crime and where to report these if they occur.

Where there is a risk to third parties it may also be appropriate to notify them.

Supplier records including contact details, contracts, invoices

Associated risks

There is a risk that suppliers may be targeted with phishing where their contact details are released in a breach.

There is a risk that suppliers may be targeted with other attacks such as cyber-attacks in an attempt to disrupt the service they provide.

The risk is increased if the bad actor knows an organisation’s relationship with the supplier, as this may allow them to impersonate the organisation to extract information, services or funds.

If invoices which include financial or banking information are included in a breach, see data set: financial information for further risks to consider.

Mitigating actions

If there is likelihood of risk to the supplier, it may be appropriate to inform them of the breach and the risk so that they can take action to protect themselves.

You may need to implement temporary or permanent security measures for interactions with suppliers so that fraudulent contact attempts are not successful.

System or operational business documentation

Associated risks

Generally, health and care sector business information is low risk as in many cases it could be released to the public under a Freedom of Information request. Some information however is exempt and considered sensitive.

Certain operational documentation (such as those relating to IT security) may put an organisation at risk of a cyber incident or reputational damage if released.

Where the information is about an organisation’s structures and vulnerabilities it may be possible for bad actors to exploit these to cause further breaches.

Mitigating actions

Where a release of information leaves you vulnerable to cyber-attack, immediate work should be undertaken to secure systems and remove vulnerabilities. This may include:

updating protocols
implementing network segregation
putting effective local firewalls in place
implementing patch management
undertaking vulnerability scanning
implementing an effective system of logging and monitoring access and changes
updating software
implementing point-to-point encryption
securing the domain administrator account with appropriate controls
ensuring that there are secure and tested back-ups in place
providing security training to staff
testing response and recovery plans

If any systems are managed by a supplier, you will need to work with the supplier to secure the system and remove any vulnerabilities in line with the above.

Where the release of sensitive business information presents a risk to the function or reputation of your organisation it may be appropriate to:

consult or update business continuity plans
seek support with external comms in the event of media interest
brief colleagues on managing enquiries around the breached information

Further guidance on data breaches

For further guidance on data breaches including reporting requirements, risk assessing and notifying patients/service users, see our personal data breach guidance.

For guidance specific to adult social care, see the Data Breach Guidance on the Digital Care Hub.