There’s been an unexpected twist in the breach concerning Kate Middleton’s medical records. The private clinic where the Princess of Wales spent 13 days is being investigated over a possible delay in reporting the alleged security breach. The violation likely (and unfairly) contributed to mounting pressure on the beloved royal to disclose her health issues—which Catherine did on March 22 by revealing she’d been diagnosed with cancer.
According to The Telegraph, the Information Commissioner’s Office (ICO) requires organizations to alert them of data security breaches within 72 hours of discovery, but the London Clinic reportedly did not contact the privacy and data watchdog until more than a week after Middleton was discharged. That was on January 29. An ICO source confirmed to The Guardian that the “timeliness of reporting” was included in the investigation.
It comes after at least one staff member at the private hospital was being questioned over illegally trying to access Middleton’s medical records. An Information Commissioner’s Office (ICO) spokesperson said on March 19: “We can confirm that we have received a breach report and are assessing the information provided.” Kensington Palace said: “This is a matter for the London Clinic,” per The Guardian.
A source previously told The Mirror that the hospital was taking the incident very seriously. “This is a major security breach and incredibly damaging for the hospital, given its unblemished reputation for treating members of the Royal Family,” the source said.
“Senior hospital bosses contacted Kensington Palace immediately after the incident was brought to their attention and assured the palace there would be a full investigation. The whole medical staff have been left utterly shocked and distraught over the allegations and were very hurt that a trusted colleague could have possibly been responsible for such a breach of trust and ethics.”
An expert told Newsweek that the Princess of Wales could sue the hospital because a crime may have been committed under Section 170 of Britain’s Data Protection Act. “Individuals, such as—in this case—The Princess of Wales, can also bring claims for compensation under the U.K. GDPR, and for ‘misuse of private information,’ where their data protection and privacy rights have been infringed,” Jon Baines, a senior data protection specialist at Mishcon de Reya, said.
On March 22, 2024, the Princess of Wales revealed she’d been diagnosed with cancer in a video statement published to the @KensingtonRoyal official Twitter account. While her abdominal surgery had been successful, later tests revealed that she would have to undergo preventative chemotherapy.
