I've recently been sent a letter by my GP saying that a member of staff has been accessing my medical records inappropriately. They don't go into any details like how long it's been going on for, how many people are involved or anything like that. They don't even say when the breach ocurred either.

All the letter says is they've changed their procedures to stop it happening again, the person has been fired and they've reported the incident to the ICO.

Now I just want to say I am NOT trying to claim compensation or anything like that this is purely about how this has now affected me. I am now struggling to trust my surgery, I have a complicated medical history and live in a small community so now i'm wondering how many (if any) know my medical history and are gossiping. The entire subject matter is already being gossiped about as I found out about the breach before I got a letter.

They imply that as the person is now not working there and the ICO has been informed that that's it as far as they're concerned, I have written to them asking specific questions like how long it was going on for etc but given that the person "picked" mine to look at I have to wonder if it's someone I know or if they looked on behalf of someone else.

What kind of response should I expect from the practice, out of what has happened what information about the incident am I entitled to see and if anyone has any other suggestions i'd be really grateful

Start off by sending an SAR. See what that produces. Make your own complaint to the ICO. You should also inform the police

As ironic as this sounds, they cant tell you much... Data protection.

Make an appointment to go and speak with the practice manager and one of the GP partners, they’ll undoubtedly be more than happy to speak with you.

Over the last year, there have been two reported unauthorised accesses to medical records of a total of some 280 patients in my county. This is in spite of eight convictions against NHS employees caught prying in to medical records. Obviously the lesson hasn't gotten through, so I would also agree that speaking to the practice manager would be a start.

If nothing else, you need assurances that the data hasn't been disseminated or distributed to others outside the practice.