The amount of compensation you can claim after a data breach depends heavily on the type of data exposed. A gym leaking your email address is a fundamentally different situation from an NHS trust exposing your medical records. UK courts and the ICO recognise this distinction — and the compensation ranges reflect it. This guide covers the most common breach scenarios individuals face, sector by sector.
NHS and GP data breaches
Medical data breaches are among the most serious because health information is classified as special category data under UK GDPR — attracting the highest level of protection and, consequently, the highest compensation awards when breached.
Common NHS and GP breach scenarios include: patient records emailed to the wrong recipient, appointment letters sent to incorrect addresses, test results shared with unauthorised parties, and system-level breaches exposing patient databases. The Synnovis pathology lab attack in 2024, which disrupted services across multiple London NHS trusts, is a recent high-profile example.
Because medical data reveals conditions, treatments, and diagnoses that carry stigma or emotional weight, distress awards are typically higher than for other data types. Estimated compensation for NHS and GP data breaches ranges from £3,000 to £20,000+ depending on the sensitivity of the records exposed and the severity of the impact.
Pharmacy data breaches
Pharmacy breaches are particularly sensitive because prescription records can reveal medical conditions, mental health treatments, substance use, and sexual health information. A pharmacy that exposes customer prescription data — whether through a system hack, improper disposal of records, or staff negligence — is exposing special category data.
The compensation range for pharmacy data breaches is similar to NHS breaches: £3,000 to £15,000 for distress alone, depending on what the prescriptions reveal and who may have accessed the data. If the breach led to social stigma or discrimination — for example, if a prescription for HIV medication or psychiatric treatment was disclosed to an employer or neighbour — awards can be higher.
Landlord and letting agent data breaches
Landlords and letting agents hold a significant amount of personal data: identity documents (passport, driving licence), bank statements, employment references, salary details, and sometimes credit check results. Breaches in this sector frequently involve tenant data being shared with unauthorised parties, documents left accessible online, or data retained long after a tenancy has ended.
The data types involved — identity documents and financial records — carry a real risk of identity theft and fraud, which increases both the distress and the financial loss component of any claim. Estimated compensation ranges from £2,000 to £10,000 for distress, with additional recovery for any actual fraud losses.
If your landlord or letting agent has retained your passport scan, bank statements, or credit check data after your tenancy ended, they may already be in breach of UK GDPR's data minimisation and storage limitation principles — regardless of whether a security incident has occurred. You have the right to request erasure of data that is no longer necessary.
Gym and leisure membership data breaches
Gym data breaches typically expose contact details (name, email, phone, address), payment card information, and membership records. While these are less sensitive than medical data, they still carry risk — particularly where payment card data is involved.
The compensation range for gym breaches is generally lower unless fraud resulted: £750 to £5,000 for distress from contact/payment data exposure. If payment card data was used for fraudulent transactions, the financial loss component is recoverable on top. Several large gym chains have experienced breaches affecting hundreds of thousands of members — class actions in these cases typically settle at £500–£2,000 per affected individual.
Financial services data breaches (Loqbox, banks, fintech)
Financial services breaches are particularly concerning because they expose data that can directly enable fraud: bank account numbers, sort codes, transaction histories, loan applications, and credit scores. The Loqbox data breach affected customers of a credit-building service, exposing personal and financial data that individuals had shared specifically because they were in a financially vulnerable position.
Financial services breaches typically result in compensation of £2,000 to £12,000 for distress, reflecting the anxiety of having financial data exposed and the ongoing vigilance required (monitoring accounts, changing banking details, credit file checks). Where fraud actually occurred, financial losses are recoverable in addition.
Employer and workplace data breaches
Employers hold extensive personal data: payroll records, bank details, tax codes, disciplinary records, health and absence data, performance reviews, and sometimes special category data like disability information or trade union membership. The Interserve breach (£4.4 million ICO fine) exposed the data of 113,000 employees.
Compensation for workplace breaches depends on the specific data types involved. Payroll and bank details alone might warrant £2,000 to £8,000; if disciplinary records, health data, or other sensitive employment information was exposed, the range is higher.
Divorce and family law data breaches
Family law firms and courts handle some of the most intimate personal data: financial disclosures, allegations of abuse, child welfare reports, mental health assessments, and details of property and asset ownership. A breach in this context can cause extreme distress — particularly where the other party in a divorce or custody dispute gains access to information they should not have.
These breaches typically fall at the higher end of the compensation scale: £5,000 to £20,000+ for distress, reflecting the deeply personal nature of the data and the potential for ongoing harm to family relationships.
Energy and utility company data breaches
Gas and electricity suppliers hold customer names, addresses, account numbers, payment details, and energy usage data. While less sensitive than medical or financial data, breaches affecting millions of customers (as has happened with several major UK energy suppliers) can still result in identity theft and fraud. Compensation for utility breaches typically ranges from £750 to £3,000 per individual for distress.
How the data type affects your claim
The pattern across all sectors is consistent: the more sensitive the data, the higher the compensation. UK GDPR classifies data into tiers of sensitivity:
- Special category data (health, biometric, criminal, racial, sexual orientation, religion) — highest awards
- Financial and identity data (bank details, passport, NI number) — high awards, especially where fraud risk is real
- Contact and membership data (name, email, phone, address) — lower awards unless combined with other factors