Were you affected by the LUHFT data breach? Know your GDPR rights

In what has been described as a serious failure in data protection, Liverpool University Hospital Foundation Trust (LUHFT) mistakenly shared sensitive employee information in an email, exposing the personal details of almost 14,000 staff members.

What does this mean for you?

The exposed information included:

  • Names and addresses
  • National Insurance numbers
  • Dates of birth
  • Salaries and payroll details
  • Gender and ethnicity

This information could be used in identity theft, fraud, and cyber scams.

If your data was exposed in the LUHFT data breach, you may be due compensation. Even if no immediate harm has come to you, the exposure of such data can cause significant emotional distress and you have the right to make a claim.

Why does this matter?

Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, all organisations – including public sector bodies like the NHS – have a legal duty to protect personal information. This means they must implement strong security measures to prevent unauthorised access, accidental leaks, and cyberattacks.

When an organisation fails to protect personal data, as in the case of Liverpool University Hospital Foundation Trust (LUHFT), affected individuals have the right to take legal action. Crucially, GDPR is not just about financial losses. It also recognises the emotional distress and psychological impact of having your data exposed.

What Are Your Rights Under GDPR?

If your data has been compromised in a breach, you are entitled to:

  • Be informed: Organisations must notify individuals about a data breach that poses a risk to their rights and freedoms without undue delay. In the LUHFT case, affected employees should have been promptly informed so they could take steps to protect themselves.
  • Seek compensation: If your personal data has been mishandled or exposed, you have the right to claim compensation. This includes for emotional distress and financial impact.

How did LUHFT fail to meet GDPR standards?

LUHFT’s failure to prevent this breach, and the potential risks now faced by thousands of employees, highlights serious concerns about data security in the NHS and public sector. Some key failings include:

  • Failure to protect data: A hospital trust handling sensitive employee and patient data should have robust safeguards in place. The fact that personal information was accidentally shared in an email suggests serious gaps in security procedures. 
  • Failure to prevent human error: While cyberattacks often cause data breaches, this incident was the result of an internal error. GDPR requires organisations to train staff properly to prevent mistakes that could compromise sensitive information.

Check your eligibility with Join the Claim

If you were one of thousands of staff members affected by the LUHFT data breach, you have the right to seek compensation. You don’t have to go through this alone. Join the Claim is helping affected individuals take legal action. Find out if you qualify today.

Check my eligibility

You may also like:

Thousands of drivers given permission to sue BMW for illegal emissions devices

In January 2024, the High Court ruled that drivers could sue BMW for fitting some diesel vehicles with devices that tricked emissions tests. The illegal devices made it seem like BMW’s diesel cars were less-polluting than they actually were.

Asda equal pay claim: Can store workers fight for fair wages?

Asda store workers may be underpaid. Check if you qualify for an equal pay claim and take action to seek the compensation you deserve.

Capita data breach: Legal response & ongoing investigations

Capita’s data breach exposed pension holders’ personal data. Stay updated on the latest legal action, investigations, and regulatory responses.

You might also like

See more resources

Several bottles of Johnson's baby powder on a store shelf, symbolising the Johnson and Johnson talc lawsuit over alleged asbestos contamination and cancer risks.
  • News, Product Liability

Johnson & Johnson talc lawsuit in the UK: What you need to know

A UK lawsuit claims Johnson & Johnson’s talc products cause cancer. Learn about the case,...
Low-angle view of people walking in a city, symbolising unity and collective action, related to key facts about group litigation for seeking justice.
  • News

10 must-know facts about group litigation for first-time claimants

Discover 10 essential facts about group litigation for first-time claimants. Learn how joining a group...
  • News, Travel

Flight cancelled or delayed for 3+ hours? You could be due compensation!

Flight delays and cancellations can completely disrupt your travel plans, costing you time, money, and...

Did you know we have a newsletter?

Sign up for our newsletter to stay up to date.

We connect consumers with their legal dream teams to ensure they get the compensation and support they deserve.

claims
About
Legal
Connect

Join the Claim is not a law firm. We connect individuals with top law firms for group action claims, and our service is free to use. While we may receive a fee from the law firms we introduce you to, this will not affect your costs or compensation. We are not responsible for the advice or services provided by these firms. Please note, nothing on this website is legal advice, and while we check claim eligibility, we cannot guarantee a law firm will accept a case.

Join the claim is a registered trading name of Big on Media ltd. Big on Media is registered in the United Kingdom under licence number 09878028 with its registered office located at Big on Media, 6 Sunderland Street, Tickhill, Doncaster, DN11 9QJ

© Join the Claim All Rights Reserved | 2025

Go to claims