There’s Been An Unexpected Twist In The Breach Of Kate Middleton’s Medical Records

There’s been an unexpected twist in the breaching of Kate Middleton’s medical records. The private clinic where the Princess of Wales was being treated amid her undisclosed abdominal procedure is being investigated over a possible delay in reporting the alleged security breach.

According to The Telegraph, the Information Commissioner’s Office (ICO) requires organizations to alert them of data security breaches within 72 hours of discovery, but the London Clinic reportedly did not contact the privacy and data watchdog until more than a week after Middleton was discharged. That was on January 29, following her 13-day stay. An ICO source confirmed to The Guardian that the “timeliness of reporting” was included in the investigation.

It comes after at least one staffmember at the private hospital was being questioned over illegally trying to access Middleton’s medical records. An Information Commissioner’s Office (ICO) spokesperson said on March 19: “We can confirm that we have received a breach report and are assessing the information provided.” Kensington Palace said: “This is a matter for the London Clinic,” per The Guardian.

A source previously told The Mirror that the hospital was taking the incident very seriously. “This is a major security breach and incredibly damaging for the hospital, given its unblemished reputation for treating members of the Royal Family,” the source said. 

“Senior hospital bosses contacted Kensington Palace immediately after the incident was brought to their attention and assured the palace there would be a full investigation. The whole medical staff have been left utterly shocked and distraught over the allegations and were very hurt that a trusted colleague could have possibly been responsible for such a breach of trust and ethics.”

An expert told Newsweek that the Princess of Wales could sue the hospital because a crime may have been committed under Section 170 of Britain’s Data Protection Act. “Individuals, such as—in this case—The Princess of Wales, can also bring claims for compensation under the U.K. GDPR, and for ‘misuse of private information,’ where their data protection and privacy rights have been infringed,” Jon Baines, a senior data protection specialist at Mishcon de Reya, said.