Staff at the prestigious hospital at the centre of a data breach over the Princess of Wales's private medical records may have had to contend with a 'decoy' trap set by managers, experts believe.

The MoS can reveal that, three months on, The London Clinic remains under investigation and the case has not yet been referred to Scotland Yard, despite Health Minister Maria Caulfield stating in March that police had been asked to look at it.

Bosses at the hospital launched a probe after it was claimed at least one staff member had attempted to access personal details about Kate following her planned abdominal surgery in January.

It is a criminal offence for any NHS or private healthcare staff to access the medical records of a patient without the consent of the organisation’s data controller.

Now several data specialists have told this newspaper that, if the breach occurred, staff could have been caught through a ‘decoy’ tactic used by private hospitals that often have high-profile clients.

+4
View gallery

The Princess of Wales was receiving private medical care at The London Clinic when staff were accused of attempting to access her personal details following planned abdominal surgery

+4
View gallery

The London Clinic remains under investigation . It is a criminal offence for any NHS or private healthcare staff to access the medical records of a patient without consent

+4
View gallery

Health Minister Maria Caulfield has called for the case to be investigated by the police

To protect the health data of VIP patients, hospitals often store it in a file under a fake name.

A ‘decoy’ file is then created under the celebrity’s real name. This contains false information and is regularly checked by bosses to see if any wayward staff have opened it without permission.

If a breach is suspected, hospitals are required to launch their own inquiry while the Information Commissioner’s Office (ICO) investigates whether management did anything wrong. But this process is laboriously slow.

Sam Smith, of health data privacy group MedConfidential, said: ‘It’s disappointing but sadly normal that three months on there is no update about the investigation.’

He said data breaches were ‘unfortunately common’, adding: ‘It’s rare that people find out when a data breach has happened, even rarer that they can get the evidence to prove it, and if they do, the process is still very slow.’

Tom Llewellyn, a partner in commercial litigation and data protection at Ashfords law firm, said: ‘It might take years for action to be taken against the individuals.’

He highlighted a similar case last year when a former NHS secretary was fined £648 for accessing the medical records of more than 150 patients – four years after the breaches took place.

Last month, a hospital doctor was struck off three years after reading the health data of a woman he met on a dating app in 2021.

The London Clinic has provided no update since the suspected breach of the Princess of Wales’s health data was reported.

The ICO told the MoS: ‘Investigations into reported data breaches can be highly complex and our expert team must be given adequate time to make their enquiries.

To protect the integrity of a live investigation, we will not provide regular updates on its progress to those not directly involved until its conclusion.’

The Met Police confirmed they were ‘not aware of any referral’ about the breach.

Kensington Palace said: ‘This is a matter for The London Clinic.’