Dentists bare teeth against BDA in breach legal action

A group of British dentists are not waiting for the Information Commissioner’s Office to investigate a recent hack attack on their industry body, the British Dental Association, to launch legal action against the organisation for failing in its “duty of care” over their personal data.

The incident was first revealed in early August, when the BDA sent out an urgent email to members warning them that their personal data may have been stolen.

At the time, the organisation told members that it was not sure exactly what information was accessed in the breach, which took place on July 30, and, over two months later, it still appears none the wiser, with an investigation into the incident still ongoing.

Although the BDA does not hold patient records, it has admitted that dentists’ bank account numbers and sort codes used to collect direct-debit payments, as well as private correspondence, had been compromised.

The BDA says it has contacted members who may have been affected and has reported the incident to the ICO.

But many members are not willing to wait for the BDA investigation to be completed – let alone the ICO’s probe, which could take years – and have kicked off the legal challenge through law firm Simpson Millar.

Perhaps unsurprisingly, Robert Godfrey, head of professional negligence at the firm, described the circumstances as “deeply concerning”, adding that he believes anybody affected by the data attack could have a valid claim against the BDA for the distress caused.

Godfrey explained: “We have had members of the BDA site contact us who are quite rightly very concerned. We are actively investigating potential claims on behalf of people directly affected by this serious breach. This is a clear violation of GDPR and data protection rules.

“I am confident any person whose details have been accessed could have a valid claim. It is clear there has been a breach of the residents’ right to privacy and the BDA is ultimately responsible. There is a clear entitlement to compensation for any upset, injury and cost of support and disruption to their lives.”

Godfrey then upped the ante by saying: “Many will be anxious and fear they will be targeted at home or work in the future. There is no doubt that the affected people are going to need support in this difficult time. Both from their family and friends.

“The BDA is a professional body which has a very clear duty of care to ensure members who hand over their confidential information have their data secure and protected, are not exposed, such as has happened in this breach.”

Compensation claims over data breaches have rocketed since GDPR came into force, as predicted before the regulation was passed, with the High Court likely to be “double busy” with cases in the coming months and years.

Earlier this week, privacy expert Duncan McCann started legal proceedings in the High Court against Google for collecting children’s data without parental consent. He reckons this could lead to a £2bn payout.

Meanwhile, TalkTalk customers started action two weeks ago through law firm Leigh Day on the back of two data breaches, including its notorious 2015 “car crash” hack attack, and a case against Marriott International was lodged the week before.

However, the only reported case where compensation has been paid so far was in January this year, when nearly 300 students from the University of East Anglia, whose personal details were emailed to their peers, received a total of £142,512.16. If shared equally, each victim would have received nearly £500 each. However, the money came from an insurance claim not a court case.