Overview
- The Information Commissioner’s Office concluded its criminal investigation and issued a formal caution on Wednesday to a now‑former healthcare professional under section 170(5) of the Data Protection Act 2018.
- The ICO said the conduct involved the deliberate misuse of highly sensitive personal information and an offer to disclose it for financial gain, and the worker has been dismissed or removed from practice.
- News organisations have widely linked the case to the Princess of Wales’s January 2024 stay at the London Clinic, though the ICO did not name the patient; the Princess later announced cancer treatment and remission in January 2025.
- The London Clinic reported the suspected breach to the ICO in March 2024, carried out an internal inquiry that led to staff dismissals, and the regulator found no wider organisational failings that met the threshold for regulatory action.
- The outcome highlights the insider risk to patient data and shows the ICO can use formal cautions rather than prosecution, which may prompt hospitals to tighten access controls and monitoring of staff who handle medical records.