Last week the Information Commissioner's Office (ICO) announced that an employee of a personal injury claims company was guilty of illegally obtaining NHS patient information from two different walk-in treatment centres in Bury, Greater Manchester.

Martin Campbell, an employee of Direct Assist, illegally obtained health data of approximately 29 NHS patients with the assistance of his then girlfriend, Dawn Makin. Ms Makin was working as a nurse at one of the centres in Bury at the time of the data breach taking place.

The breach was brought to the attention of the ICO following an investigation by the Bury Primary Care Trust into telephone calls to various patients from the personal injury company enquiring about the circumstances of their accident and encouraging them to make a claim. During the investigation, it came to light that Ms Makin had accessed a number of files for which she had no justifiable reason. Following this, the Trust reported the matter to the ICO.

The ICO found that through the assistance of Ms Makin, Mr Campbell was using the illegally obtained patient information to generate leads for personal injury claims for "personal gain". Such action is a breach of s55 of the Data Protection Act 1998 and as a result, Mr Campbell was found guilty, and liable for a £1,050 fine, £1,160 in prosecution costs, as well as a £15 victims' surcharge.

No action was taken against Ms Makin on the grounds that it was no longer in the public interest. However, in a statement released by the ICO last week, the Information Commissioner Christopher Graham said that "the ICO will always pursue prosecutions where individuals breach both their duty of confidentiality and the Data Protection Act. Those whose responsibilities include the custodianship of sensitive personal data should take note."