A FORDINGBRIDGE man says he was “stunned” and “very upset” after discovering by chance that his medical records had been accessed and details shared without his consent.

The data breach took place in 2016 but Robert Richardson found out about it more than two years later after making a Right of Access information request.

Now Southern Health NHS Trust has admitted failing in its data protection obligations following the incident which involved a member of its staff accessing and sharing details of a patient’s confidential medical records without consent.

Mr Richardson received £1,500 as part of the settlement.

Hayes Connor Solicitors, who represented him, said that council files revealed that following his request for a more secure door to be provided for his property after serious threats were made against him, New Forest District Council had contacted the NHS to ask whether he was known to its mental health facility.

The 61-year-old operations administrator said: “I asked the local council to replace my front door for added security for my family, but they were not forthcoming.

“I had concerns about what was happening internally at the council in relation to my request.

“I proceeded to make a Right of Access request only to discover that they had contacted the NHS with the suspicion that I was suffering mental health issues.”

Mr Richardson added: “I was stunned and very upset to discover that this had taken place without my knowledge, or consent, and even more upset that the NHS had proceeded to access my private medical records to confirm to the council that I had not been a mental health patient, again without my knowledge or consent.”

“This followed a simple request to have the back door of my property replaced and at no point did the council, or the NHS, ask permission to share my private information.”

James Kelliher, litigation executive at data breach and cybersecurity specialist Hayes Connor Solicitors, who represented Mr Richardson, said: “The Trust admitted that a technical breach of the Data Protection Act had occurred. Our client discovered the breach purely by chance.

“It is concerning that private medical information was accessed and details shared without our client’s consent. Had he not made a Right of Access request the breach would have gone undetected.

“We pursued a successful data breach claim against Southern Health NHS Trust on behalf of Mr Richardson securing £1,500.

“GDPR came into force last year raising awareness of data privacy however, individuals’ private information has been protected by data protection laws for some time pre-dating this, a fact that both the council and NHS Trust should have been well aware of.”

A Southern Health NHS Foundation Trust spokesperson said: “We take patient confidentiality extremely seriously and work hard to ensure people’s information is processed in accordance with their wishes. In this case, we apologise as we fell short of these standards and have updated our information sharing policy and staff guidance to provide clarification around information sharing requests from third parties.”

NFDC has also been approached for comment.