A former healthcare worker at a London clinic has been formally warned for illegally accessing the medical records of Catherine, Princess of Wales, during her treatment at a private hospital in London in 2024.The Information Commissioner’s Office (ICO) confirmed it had completed a criminal investigation into the misuse of Kate’s confidential health information after the clinic reported a data breach. The regulator said the employee knowingly accessed highly sensitive personal data and offered to disclose the information to third parties for financial gain, the Daily Mail reported.The investigation began in March 2024 after reports that a staff member tried to access the Princess of Wales’s medical records while she was being treated at a central London hospital. Kate, 44, underwent abdominal surgery at a London clinic in January 2024 and later revealed in a video message that she had been diagnosed with cancer.According to the ICO, the undisclosed former healthcare professional was given a formal warning under Section 170(5) of the Data Protection Act 2018. The regulator described the incident as a serious breach of trust involving the deliberate misuse of personal information.The ICO said it carried out a comprehensive assessment in accordance with the Crown Prosecutors Code and its own prosecution policy before deciding that a warning was the most appropriate and proportionate law enforcement response in the case.As part of its investigation, the regulator is also looking into whether the incident points to wider deficiencies in the London clinic’s handling of patient information. However, it concluded that the available evidence did not reveal any organizational flaws to justify regulatory action against the hospital.Ian Hulme, executive director of regulation at the ICO, said: “People should trust organizations to protect their personal information. This breach involves the deliberate misuse of highly sensitive personal data and is a clear breach of that trust.”“We will continue to take action against individuals who unlawfully access or disclose personal information and will not hesitate to take criminal enforcement action where necessary and appropriate.”The London Clinic welcomed the conclusion of the investigation and described the case as an isolated incident. A spokesperson for the hospital said: “We are pleased that the ICO has concluded its investigation and confirmed that there was no evidence of systemic failure or regulatory breaches at the London Clinic.“We remain fully committed to maintaining the highest standards of patient care, confidentiality and data protection. This was an isolated incident and we continue to take our responsibility to protect patient information extremely seriously. “Under the Data Protection Act 2018, it is a criminal offense to obtain, disclose or retain personal data without the consent of the data controller. The ICO has the power to investigate suspected breaches and initiate criminal proceedings against individuals where breaches are believed to have occurred.
