Ex-healthcare worker is cautioned over Kate's private medical records

See more Daily Mail on Google - save us as a Preferred SourceBy MARK DUELL, DEPUTY CHIEF REPORTER (DIGITAL) Published: 13:44 BST, 17 June 2026 | Updated: 17:33 BST, 17 June 2026

A former healthcare worker at the London Clinic where the Princess of Wales had abdominal surgery has been cautioned for illegally accessing her medical records.The unnamed employee was investigated over the deliberate misuse of Kate's private medical records and offering to disclose them for financial gain.The Information Commissioner's Office began a criminal investigation in March 2024 into the unlawful obtaining and disclosure of medical information to a third party without the consent of the data controller, after the clinic reported a breach.At the time it was reported that at least one member of staff tried to access Kate's notes while she was a patient at the private hospital in central London in January.The 44-year-old princess had abdominal surgery at the London Clinic in January. She publicly announced her cancer diagnosis two months later in a video message.The ICO said today: 'Following a full assessment under the Code for Crown Prosecutors and the ICO's Prosecution Policy, the ICO issued a now former healthcare professional from London with a formal caution in relation to an offence under section 170(5) of the Data Protection Act 2018.'The conduct involved the deliberate misuse of highly sensitive personal information and an offer to disclose it for financial gain, representing a clear breach of trust.' The Princess of Wales after the Order of the Garter Service in Windsor Castle on Monday Police officers outside the London Clinic after Kate underwent abdominal surgery in 2024The ICO, which is the UK's privacy and data protection watchdog, said a caution was 'the appropriate and proportionate enforcement response'.It added: 'We also considered whether there were any wider organisational issues arising from the healthcare provision in this matter. 'Based on the evidence available, we did not identify any failings that would meet the threshold for regulatory enforcement.'Ian Hulme, executive director for regulatory supervision, said: 'People should be able to trust that the personal information they're giving to healthcare settings is safe and protected from exploitation. When this trust is broken, it's right that the law allows us to take action.'We will not hesitate to pursue criminal prosecution where it is necessary and proportionate to do so.'A London Clinic spokesman said: 'We all take considerable pride in delivering the very highest standards of care and discretion for every patient at the London Clinic. 'We are pleased our work with the ICO has brought this sad and isolated incident to a conclusion. There were no regulatory breaches by the hospital.'Under the Data Protection Act 2018, it is an offence for a person to obtain, disclose or retain personal data without the consent of the data controller.The ICO can carry out criminal investigations and prosecute individuals where it believes an offence may have been committed.An assessment of the breach report is normally carried out by its Criminal Investigation Team, who decide whether to proceed in accordance with the Regulatory Action Policy.This decision includes looking at whether there is sufficient evidence to support a prosecution and whether it is in the public interest to do so.Kate also had the option of bringing a private prosecution with a civil action, and also potentially claiming compensation.The police also have powers to investigate and they do bring prosecutions under the Data Protection Act, normally when other offences are prosecuted at the same time.