Doctor pays patient over data breach
Mark Tighe – 1st March 2015
A GRANDMOTHER in her sixties has secured an apology and cash settlement from her former doctor after suing him for sending her complete medical history to her insurance company.
The woman, identified only as CW in a case heard before Judge Jacqueline Linnane in Dublin Circuit Court last week, sued for damages for breach of her data protection rights.
Evidence was given that the disclosure of her medical files triggered a depressive adjustment disorder that required the woman to be prescribed antidepressants. She said she was devastated by the breach of her trust by Brian Byrnes, her doctor of 38 years.
Claims for damages for data protection breaches are rare and the High Court has ruled plaintiffs must show they were negatively affected to receive compensation.
Tony Delaney, an assistant data protection commissioner (DPC), was about to give evidence about how his office investigated the case when Rory White, barrister for Byrnes, said the breach was admitted.
CW, who walked with the aid of crutches, told the judge she worked as a cleaner for 30 years before damaging her knee on her stairs at home. She said Genworth, her insurer, asked for medical records related to her knee injury. CW said she had a reading age of six to seven and needed help to sign a consent form allowing relevant medical records to be disclosed.
The insurer refused to pay out, saying that CW had failed to declare her osteoporosis. CW said she was unaware of this as she was told she simply had “wear and tear”.
She requested details of what was sent to Genworth by Byrnes and in August 2012 received records back. On the first page she could see Byrnes had sent details of her cervical smear tests and “woman problems in general”.
She said she had been attending Byrnes for almost 40 years and had a “trusting relationship” with him. Crying as she spoke, CW said, “I felt devastated. This had nothing to do with my knee. I felt betrayed. My trust in Dr. Byrnes was broken”.
The file included details of medication she was prescribed for a neck injury.
She said after discovering the disclosure Byrnes snubbed her by refusing to give her appointments. She recounted one occasion when she was in the waiting room of his clinic and the doctor shook hands with everyone except her. The doctor retired in December 2013. She said that she was very sad she never got a chance to thank him for all the help he had given her over the years.
She added that, although Byrnes told the DPC he apologised to her, he made no contact with her.
CW said she had coped with everything negative that happened in her life, including a chronic disease, her neck injury, her marriage break-up, the death of her mother, the death of a granddaughter and struggles with her weight, but she never previously required antidepressants.
Since discovering the data breach she stopped attending her literacy course because she could not concentrate.
“I couldn’t cope with this one”, she said. “That’s when I went on antidepressants”.
She said she now cried at “silly things”.
In cross-examination White suggested CW had symptoms of depression before the disclosure of her medical records. He pointed out she attended a psychotherapist who counselled people with her chronic condition. He said notes from her doctor showed she had “terrible nightmares” about the court case and dreams about “solicitors screaming at me”. He suggested her “main stresser” was the litigation.
Jennifer Doherty, a consultant psychiatrist based in Belfast, said CW was very depressed. “She felt violated”, said Doherty, who gave evidence on behalf of CW. “Her trust in healthcare professionals was gone”.
On Thursday, Martina O’Neill, barrister for CW, said the case had been settled and CW would get her legal costs.
Linnane said she had “utmost admiration” for CW and said she was “very brave” in giving evidence.
After the hearing Byrnes met his former patient and apologised.
Niall Kiernan, a solicitor with Lawlor Partners, who represented CW, said he believed the settlement was the largest made in Ireland for a data protection breach.
The maximum that the court could have awarded was €38,000.
“Data controllers and processors must ensure personal information remains confidential and secure”, said Kiernan.