Doorstep Dispensaree Ltd,
Doorstep Dispensaree Ltd, (a London Based Independant Pharmacy) was fined £275,000 by the
Information Commissioner's Office (ICO) in December 2019 for GDPR non-compliance, specifically for
carelessly storing hundreds of thousands of patient documents containing sensitive personal and health
data in unlocked containers in an unsecured area, breaching data security rules. This marked the ICO's
first GDPR fine, highlighting failures in protecting patient information under GDPR regulations.
Details of the Fine:
Fine Amount: Initially £275,000, later reduced to £92,000 after an appeal.
Reason: Failure to ensure appropriate security for personal data, including names, addresses, NHS
numbers, medical details, and prescriptions, stored in unlocked boxes and bags.
ICO Statement: The data was left unsecured, failing to protect it from accidental loss, damage, or
unauthorized access, violating GDPR's data security principles.
This case serves as a significant reminder for healthcare providers about the strict requirements
for handling sensitive patient data under GDP
There has been hundreds of other GDPR related fines and claims to UK
pharmacists but most of these have been settled out of court and have
not gone onto the public records.
Recent Medical Data Breach Cases Listing the ICO Fines and Private Litigation due to
Non GDPR compliance by Registered Independent Pharmacies, Dental Practices and
Doctors contracted to the NHS
Here are some examples of Dental Practices being fined and sued for Data
breaches due to non GDPR Compliance.
Most data breaches go unreported and are settled out of court so are not found in the public records. This the
reason why the ICO and the 2018 GDPR Act insist that every public authority has an “Independent” Data
Protection Officer who will report a data breach withoin 72 hours.
Recent UK Dental Data Breach Incidents
2025 (Sept): Diamond Court Dental reported a system breach involving phishing emails sent to patients,
though reported that health and financial records remained secure.
Read about this https://www.diamondcourtdental.co.uk/important-notice-regarding-gdpr-data-breach-incident/
2024 (Oct): Guernsey-based Fresh Dental suffered a breach following a phishing attack that allowed
unauthorized access to an employee's Microsoft 365 account, leading to sanctions due to security failings. Read
about this:
https://www.odpa.gg/sites/default/files/2025-12/Fresh%20Dental%20Determination%2011.12.2025.pdf
https://www.bailiwickexpress.com/news-ge/dental-practice-breached-data-law-after-hacked-email-sent-
phishing-messages/
2023 (Apr): Congleton Dental Centre suffered a ransomware attack that potentially exposed the names,
contact details, and dates of birth of 15% of its patients.
Read about this: https://congletondental.co.uk/cyber-attack-20th-april-2023/
2020 (July): The British Dental Association (BDA) experienced a cyberattack where hackers potentially stole
bank account numbers and, in some cases, patient information related to insurance claims.
Read about this: https://uk.topclassactions.com/lawsuit-settlements/data-breach/british-dental-association-
data-breach-group-action-open-claim/
There has been hundreds of other GDPR related fines and claims to UK
Dental Practices but most of these have been settled out of court and have
not gone onto the public records.
Here are some examples of Doctors surgeries being fined and sued for Data
Breaches due to Non GDPR Compliance.
GDPR/Data Protection breaches by the ICO, with examples including a £40,000 fine in 2016 for releasing
confidential patient details and another £35k fine in 2018 for leaving records behind, highlighting failures in
procedure and security, though fines are less common now than reprimands or enforcement notices for general
breaches. While individual doctors aren't usually fined directly, the organisations they work for are held
accountable for protecting patient data.
Examples of Fines/Actions Against UK Practices:
2016: A GP practice received a £40,000 fine for disclosing a patient's confidential information to an ex-
husband due to inadequate procedures for handling requests and lack of physical checks, under the then Data
Protection Act 1998 (precursor to GDPR).
2018: Bayswater Medical Centre was fined £35,000 for discarding sensitive patient records at an empty
surgery for 18 months, demonstrating poor data disposal in an unsecured courtyard.
HCA International (Private Healthcare, 2017): Fined £200,000 for failing to secure sensitive IVF data, which
was sent unencrypted via email to a subcontractor.
There has been hundreds of other GDPR related fines and claims to UK
Doctors Surgeries but most of these have been settled out of court and
have not gone onto the public records.
Rockwell Data corp