Nurse used benefit assessment info to launch campaign of harassment that left disabled neighbour suicidal

A nurse who carried out benefit assessments on behalf of the government obtained a medical report belonging to his disabled neighbour and then used it to launch a campaign of bullying and harassment that left him suicidal.

Carlo* has told Disability News Service (DNS) that he had fallen out with his downstairs neighbour, who he knew worked as a nurse, after having to complain repeatedly to their landlord, and then the police, about cannabis fumes from his flat that were making his life a misery.

After both the landlord and police issued the nurse with a warning, contractors working in Carlo’s London flat, and neighbours, began asking him about his mental health and why he was not working.

An electrician told him this information had come from the nurse.

Carlo, who was recovering from serious illness and had developed associated mental distress, said: “He had basically said that I don’t work, I sit at home all day, that I’m on benefits, and that I was ‘mental’ and ‘crazy’.

“I know he said these things to the landlord as well.”

He discovered that the nurse worked for US outsourcing giant Maximus and had been sharing deeply personal information about his mental health that had been taken from the 2017 work capability assessment (WCA) carried out by the company after he had applied for universal credit.

Carlo reported his actions to the police – as well as the other harassment he had experienced – and to Maximus.

He was told by the police that the nurse had admitted searching for his details and viewing an assessment report carried out by Maximus in 2017.

Maximus investigated the allegations, suspended the nurse, and eventually admitted to Carlo in an email that there had been an “unacceptable and egregious action taken which is contrary to all policies and the ethos of our organisation”.

Carlo told a senior Maximus executive he felt his “privacy has been totally invaded”, which had “destroyed the little confidence and self esteem I had left”.

Maximus offered Carlo a £200 “consolatory payment” as “full and final settlement of this matter”, although it continues to insist that it was not legally liable for the nurse’s actions.

By the time Maximus had completed its investigation, the nurse had transferred to Ingeus UK, which took over the Department for Work and Pensions (DWP) contract for all disability assessments in London, south-east England and East Anglia last September.

Ingeus continued the disciplinary case and sacked the nurse, and he now faces a police investigation.

But DWP and Maximus are still facing questions over how the nurse was able to access the medical details of a claimant he had not assessed himself.

Although Maximus no longer carries out assessments in London, it still has a contract to carry out PIP assessments and WCAs in northern England, as well as carrying out WCAs in Scotland.

Carlo told DNS the experience had been personally “devastating”.

He said: “I feel my privacy has been completely violated.

“I am quite a strong person, but I felt suicidal. I just felt my privacy had been completely violated and nobody was taking me seriously.

“The report he had access to was primarily about my mental health. 

“For him to read that and express it to contractors and neighbours, calling me names such as crazy and mental, is completely unbelievable.”

He said the case “opens up a can of worms” relating to the security of deeply personal information shared by disabled benefit claimants with DWP contractors.

He also fears the nurse could have accessed a later assessment report that included a further “very serious” health diagnosis he has not yet even discussed with those close to him.

He said: “These are things I don’t even tell my friends and family. To find that someone can just go in and review it so easily – it’s just unbelievable.”

Carlo lodged a complaint about the nurse’s behaviour with the Nursing and Midwifery Council (NMC), but the regulator told him: “We’ve considered the fitness to practise concern raised and we’ve decided we won’t be investigating it further at this time.”

The regulator told Carlo it was “not satisfied that we have evidence of a concern that meets our seriousness criteria as outlined in our guidance” and that there was “clear evidence that [the nurse] has addressed the concerns” and that it “can be confident there is no longer any risk to the public”.

It said the evidence suggested the nurse “accessed the customer’s record once (22 January 2024)” and that there was “no evidence” that “any actions were performed by [the nurse] in relation to the record accessed”, while the nurse had been “open and honest about his conduct at the time they occurred and demonstrated sufficient regret and remorse in respect of his actions”.

NMC said there had been “no evidence of previous concerns in relation to [the nurse’s] performance at work” and it claimed the incident “was distressing for both parties involved”, while there was evidence that the nurse “had reflected on this incident and identified things he could do differently in future”. 

Carlo replied to NMC: “The letter actually makes [the nurse] sound more of a victim than me when in fact I am the only victim in all of this. 

“It was him who deliberately and maliciously searched and accessed my deeply personal medical information, then disclosed it to other people. 

“Even though the findings state he accessed my medical information only once, it only takes one time to breach someone’s privacy and cause them considerable distress.

“The only thing that [the nurse] regrets is getting caught and found out by me.”

Carlo has asked DWP to investigate if the nurse might have carried out assessments while under the influence of cannabis, as he worked from home.

The Metropolitan police are also investigating the nurse for alleged unauthorised access to Carlo’s “personal medical information”, and are in touch with Maximus, and plan to interview the nurse at a police station.

The Nursing and Midwifery Council, which has a history of failing to act on complaints against nurses working for assessment companies, refused to explain why it cleared the nurse, or if it would reopen the investigation, when there was an ongoing police probe.

It also refused to explain how it concluded there was no evidence that the nurse did anything with the information he accessed, despite being told by Carlo that he had shared it with neighbours and strangers.

Instead, an NMC spokesperson said: “While we can’t comment on individual cases, we want to reassure people that we look at every concern that’s raised with us about someone on our register very carefully, in line with decision making guidance that’s published and available on our website.

“Wherever necessary and possible, we will always take appropriate action to protect the public.”

Maximus declined to say if it had taken any action on data privacy as a result of the case or if it was still possible for one of its assessors to access the details of benefit claimants they are not responsible for assessing.

But a Maximus spokesperson said: “We have apologised to [Carlo] for the unacceptable actions of [the nurse] who previously worked for us. 

“He is no longer employed by our organisation. 

“We take all complaints relating to data security incredibly seriously. 

“Upon receiving this complaint, we took immediate action to gather the required information and a formal investigation was launched. 

“Our colleagues undertake regular training on information security and data protection, and we have rigorous policies in place to ensure the correct handling of personal information. 

“We understand this is subject to an ongoing police investigation, it would therefore be inappropriate for us to comment further.”

Ingeus declined to say if it had taken any action on data privacy as a result of the case, or if it was still possible for its assessors to access information from disabled people they are not responsible for assessing.

But an Ingeus spokesperson said: “As a result of the disciplinary process started by Maximus and completed by Ingeus, [the nurse] no longer works for Ingeus. 

“During his time with us, he never carried out any health assessments.

“Doing all we can to protect people’s personal information is absolutely vital to us. 

“We have a proactive programme of mandatory training to ensure our staff know and understand our policies and process on information security and data protection.”

He confirmed later that the nurse had been sacked for “breaching data privacy”.

A spokesperson for the Metropolitan police said: “Officers received reports on Sunday 10 November of an individual’s confidential medical information having been accessed without their consent.

“There have been no arrests. Enquiries are ongoing.”

Despite the police investigation, DWP refused to say if it was concerned by the case or if it was taking any action.

A DWP spokesperson said: “We cannot comment on individual cases. 

“We take data protection very seriously. 

“We ensure all our assessment suppliers are aware of their legal responsibility, including that it is an offence to access or disclose any information obtained which relates to customers, and are required to demonstrate how they have fully met this obligation.” 

*Not his real name

Credit for this article goes to John Pring with the Disability News Service