Capita facing class action lawsuit over data breach involving GP patients

Capita, the company providing primary care support services to England’s GP practices, is facing a class action lawsuit over a data breach that took place earlier this year.

Manchester law firm Barings Law has said the data breach could ‘impact millions of people’ and they are currently receiving 30 to 40 enquiries a day from concerned members of the public, including numerous enquiries from patients registered at GP practices.

Earlier this month, NHS England reported a data breach involving GP information caused by the cyber-attack against Capita, which is the company responsible for running back-office functions for GPs, such as pensions and transfer of medical records, via Primary Care Support England (PCSE).

Capita has confirmed that files containing ‘limited optometry information’ for two patients were accessed, as well as two files containing names and NHS numbers of deceased and de-registered GP patients were accessed.

The cyber-attack in March caused disruption to Capita’s services, and initially, the company said there was ‘no evidence of customer, supplier or colleague data having been compromised’.

Barings Law has recently sent a letter of claim to Capita outlining the case, and in two weeks has signed up 250 people who ‘suspect their personal data may have been compromised by the breach’.

The law firm said their own investigations have revealed potential breaches of passport, email and home address information, and affected individuals have reported unauthorised activity on their bank accounts such as food delivery orders.

Head of data breach at the firm, Adnan Malik, said this could be ‘one of the biggest data breaches this country has ever experienced’ and the ‘staggering number of enquiries’ led the firm to take formal legal action.

The Information Commissioner’s Office (ICO) encouraged organisations that use Capita’s services to check their own position regarding the incident and determine if the personal data they hold had been affected.

NHS England said earlier this month that no health or patient data, beyond the few optometry files, had been accessed and that an independent cyber security expert appointed by Capita found no evidence that the information had been made available more widely.

Capita confirmed in May that it would need to spend between £15m and £20m in relation to the cyber incident, including specialist professional fees, recovery and remediation costs and investment to reinforce its cyber security.

Barings Law has also said that the cyber-attack in March ‘targeted people’s pensions’ administered by Capita which resulted in ‘individuals falling prey to phishing attempts, fraudulent calls and emails purportedly from their providers’.

Mr Malik said: ‘One would think Capita may have put robust measures in place following the first instance, but now innocent people, through no fault of their own, find themselves in really worrying circumstances.

‘While we acknowledge that Capita were themselves victims of a cyberattack here, their financial resources are such that the £20m they’re forecasting this will cost them, is not that significant in the grand scheme of things.

‘Unfortunately, the same can’t be said for our clients, who’ve worked extremely hard all their lives to be told they might now lose everything.’

A spokesperson for the company said: ‘Capita continues to work closely with specialist advisers and forensic experts to investigate the incident and we have taken extensive steps to recover and secure the data. 

‘In line with our previous announcement, we are now informing those we have identified to be affected.

‘We are working to provide our clients and their customers with information, reassurance and support while delivering for them as a business. In instances where we need to provide further support to those affected, we will do so.’