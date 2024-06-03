Everything old is new again, and everything around the “what’s going on with the Princess of Wales” conversation hearkens back to what we were dealing with in March. Mysterious “sightings” of Kate with janky photos and videos, lies about when certain photos were taken, lies about the chronology of Kate’s illness and recovery. Back in March, in the days just before Kate’s cancer-announcement video, one of the big stories was about a data breach at the London Clinic, and suspicions that someone in the hospital tried to access Kate’s medical records. The story was everywhere for a week… the week before the cancer-announcement video. I had my suspicions about what was really going on, but I will say two things can coexist: Kate has the right to medical privacy and I was personally surprised that no one at the London Clinic actually sold any information to the tabloids about Kate. Well, the whole medical-record story has gotten even weirder. According to the Mail, the “investigation” hasn’t even been referred to Scotland Yard.

Staff at the prestigious hospital at the centre of a data breach over the Princess of Wales’s private medical records may have had to contend with a ‘decoy’ trap set by managers, experts believe. The MoS can reveal that, three months on, The London Clinic remains under investigation and the case has not yet been referred to Scotland Yard, despite Health Minister Maria Caulfield stating in March that police had been asked to look at it.

Bosses at the hospital launched a probe after it was claimed at least one staff member had attempted to access personal details about Kate following her planned abdominal surgery in January. It is a criminal offence for any NHS or private healthcare staff to access the medical records of a patient without the consent of the organisation’s data controller. Now several data specialists have told this newspaper that, if the breach occurred, staff could have been caught through a ‘decoy’ tactic used by private hospitals that often have high-profile clients.

To protect the health data of VIP patients, hospitals often store it in a file under a fake name. A ‘decoy’ file is then created under the celebrity’s real name. This contains false information and is regularly checked by bosses to see if any wayward staff have opened it without permission.

If a breach is suspected, hospitals are required to launch their own inquiry while the Information Commissioner’s Office (ICO) investigates whether management did anything wrong. But this process is laboriously slow. Sam Smith, of health data privacy group MedConfidential, said: ‘It’s disappointing but sadly normal that three months on there is no update about the investigation.’

He said data breaches were ‘unfortunately common’, adding: ‘It’s rare that people find out when a data breach has happened, even rarer that they can get the evidence to prove it, and if they do, the process is still very slow.’

Tom Llewellyn, a partner in commercial litigation and data protection at Ashfords law firm, said: ‘It might take years for action to be taken against the individuals.’ He highlighted a similar case last year when a former NHS secretary was fined £648 for accessing the medical records of more than 150 patients – four years after the breaches took place.

The London Clinic has provided no update since the suspected breach of the Princess of Wales’s health data was reported. The ICO told the MoS: ‘Investigations into reported data breaches can be highly complex and our expert team must be given adequate time to make their enquiries. To protect the integrity of a live investigation, we will not provide regular updates on its progress to those not directly involved until its conclusion.’

The Met Police confirmed they were ‘not aware of any referral’ about the breach. Kensington Palace said: ‘This is a matter for The London Clinic.’