The Information Commissioner's Office (ICO) has concluded its criminal investigation into the unlawful obtaining and disclosure of medical information arising from a data breach at The London Clinic, issuing a formal caution to a now former healthcare professional under section 170(5) of the Data Protection Act 2018 (DPA 2018).
The ICO announced the outcome on 17 June 2026, more than two years after the breach was first reported.
The London Clinic, where the Princess of Wales spent 13 nights after planned abdominal surgery in January 2024, reported an alleged breach of her medical records in March 2024. Three members of staff were initially investigated for allegedly attempting to access royal medical records, with the hospital's Chief
Executive Al Russell stating at the time: "There is no place at our hospital for those who intentionally breach the trust of any of our patients or colleagues."
The ICO confirmed it had received a breach report and was assessing the information provided when the matter first came to light. The regulator subsequently opened a full criminal investigation under its powers to prosecute offences under section 170 DPA 2018, which makes it a criminal offence for an individual to knowingly or recklessly obtain, disclose or procure personal data without the consent of the data controller.
The ICO's said that following a full assessment under the Code for Crown Prosecutors and the ICO's own Prosecution Policy, a formal caution was issued to a now former healthcare professional. The conduct is described as involving the deliberate misuse of highly sensitive personal information and an offer to disclose it for financial gain, an aggravating feature indicative of an attempt to profit from unauthorised access to a high-profile patient's records.
The caution was issued under section 170(5) DPA 2018, which provides for a conditional caution as an alternative to prosecution where the public interest and proportionality tests under the Code for Crown Prosecutors are met without requiring a court proceeding.
The ICO also confirmed it assessed whether the matter gave rise to wider organisational failings at the healthcare provider warranting regulatory enforcement action under the UK General Data Protection Regulation, but concluded that no such threshold was met.
Ian Hulme, the ICO's Executive Director for Regulatory Supervision, said: "People should be able to trust that the personal information they're giving to healthcare settings is safe and protected from exploitation. When this trust is broken, it's right that the law allows us to take action. We will not hesitate to pursue criminal prosecution where it is necessary and proportionate to do so."
