The data breach you didn't know was a data breach

Most therapists think of a data breach as something dramatic — a hack, a stolen laptop, a stranger gaining access to client files. Those are breaches. But the bar is much lower than that, and many of the breaches that have to be reported to the ICO are accidents that look, in the moment, like minor inconveniences.

This matters because under UK GDPR you have to report certain breaches to the ICO within 72 hours of becoming aware of them. The clock starts the moment you realise something has gone wrong, not the moment you decide it was serious.

Here are the kinds of breaches that come up in therapy practice, and what they have in common.

Sending an email to the wrong address

You meant to send the appointment confirmation to john.smith@example.com. You sent it to john.smyth@example.com. The wrong John has received your client's name, the time of their session, and possibly a phone number.

That is a personal data breach. The unintended recipient was not authorised to receive the data, and they have it now. Whether you have to report it to the ICO depends on whether the breach is likely to result in a risk to the rights and freedoms of the individual — which, for therapy data, often it is.

Forgetting to BCC a group email

You're sending a holiday notice to your active clients. You put their addresses in the To or Cc field instead of BCC. Every client now knows the names and email addresses of every other client.

This is not a small mistake. You have disclosed to each recipient the fact that everyone else on that list is a therapy client of yours. That is special category data — information about someone's health — disclosed without consent. Reportable.

A laptop in a cab

The classic. A device with client data, left in a public place. Whether it was encrypted matters enormously to whether the breach is reportable. An encrypted, password-protected laptop with no client data on the local drive (everything cloud-only, behind two-factor) is a very different situation from an unencrypted laptop with last week's session notes in a folder on the desktop.

A USB stick is the same problem in miniature. So is a paper notebook left on a train.

Ransomware or a compromised email account

If your email account is taken over by an attacker, even briefly, the contents of that account have potentially been seen by an unauthorised third party. For most therapists, that includes appointment requests, names of clients, scheduling information, sometimes more. Reportable, almost always.

If your computer is hit by ransomware that encrypts client files, that is also a breach — even if no data was extracted. The unavailability of personal data due to a security incident is itself a form of breach under UK GDPR.

What "becoming aware" actually means

The 72-hour clock starts when you have a reasonable degree of certainty that a breach has occurred. Not when you confirm every detail. Not when your IT person finishes investigating. The moment you reasonably suspect something has gone wrong, the clock is running.

This is why having a written process matters more than most therapists realise. You don't want to be deciding what to do at 9pm on a Friday with no plan, with the clock ticking. The ICO's expectation is that organisations of any size have thought about this in advance.

What to do, in order

If you suspect a breach has happened:

Write down what you know and when you noticed it
Stop the bleeding — change passwords, contact the unintended recipient, recall the email if your provider supports it
Assess the risk to the affected individuals
If the risk is more than minimal, notify the ICO within 72 hours via their breach reporting form
If the risk is high to the individuals, you may also need to notify them directly
Document everything, including any breach you decided not to report and why

Documentation is the part most easily skipped, and the part most important if anything is later questioned. The ICO's first request after any incident is your breach log — even for breaches you decided didn't meet the reporting threshold.

The reassurance

Most breaches in small therapy practices are accidents, not failures of character or competence. The ICO knows this. They are not looking to penalise honest mistakes that were dealt with properly. What they look for, and what helps, is evidence that you took it seriously, acted promptly, and have a process so it is less likely to happen again.

The therapists who get into real difficulty are not the ones who had a breach. They are the ones who didn't realise they had a breach, or who realised and did nothing.