A former healthcare worker has been cautioned by police after attempting to access and sell the private medical records of Catherine, the Princess of Wales. The incident occurred at The London Clinic, the private hospital where the Princess underwent abdominal surgery in January 2024. The Information Commissioner’s Office (ICO) confirmed it is currently investigating the breach of patient confidentiality.
What happened at The London Clinic?
In early 2024, staff at The London Clinic discovered an attempt by a member of the healthcare team to access the Princess of Wales’s medical files. According to reports from the BBC, the individual was not directly involved in the Princess’s care but allegedly sought to monetize the sensitive information. The hospital immediately launched an internal investigation and notified the relevant authorities upon discovering the unauthorized access attempt. The Metropolitan Police reviewed the circumstances but ultimately determined that a formal caution was the appropriate outcome rather than criminal prosecution.
How do data protection laws apply to medical records?
The unauthorized access or attempted sale of patient data is a severe violation of the Data Protection Act 2018 in the United Kingdom. Under current law, it is a criminal offense for a person to knowingly or recklessly obtain, disclose, or retain personal data without the consent of the data controller.
The Information Commissioner’s Office (ICO), which acts as the UK’s independent body for upholding information rights, has confirmed it received a breach report and is assessing the information. While the hospital acted to secure the records, the incident highlights the vulnerability of high-profile patients within the healthcare system. The London Clinic’s chief executive, Al Russell, stated that all appropriate investigatory, regulatory, and disciplinary steps were taken to address the breach.
What are the consequences for the individuals involved?

The healthcare worker involved received a formal police caution. A caution is a serious matter in the UK; it is recorded on the Police National Computer and can be disclosed in future background checks, potentially impacting the individual’s ability to remain in the healthcare profession.
This case stands in contrast to previous high-profile privacy breaches involving the Royal Family. In 2012, a radio station prank call led to the suicide of nurse Jacintha Saldanha, who had been working at King Edward VII’s Hospital when the Duchess of Cambridge was a patient. While the 2012 incident involved a breach of hospital protocol regarding external communication, the 2024 incident focuses on the internal digital security of patient medical files.
Key facts about the investigation
- The Location: The London Clinic, a private hospital in Marylebone, London.
- The Subject: Catherine, the Princess of Wales, who was a patient in January 2024.
- The Regulatory Response: The Information Commissioner’s Office is currently reviewing the breach to determine if further regulatory action is required.
- Legal Status: The perpetrator received a police caution, avoiding a criminal trial but facing professional consequences.
The investigation remains ongoing as the ICO evaluates whether the hospital’s security protocols were sufficient to prevent unauthorized access. Future updates regarding the case will depend on the findings of the Commissioner’s final report.