There is no liability
This is not to say that there might or might not be a breach of the GDPR, it’s just that the GDPR does not give individuals a right to sue. Only the national regulator can take action.
The photos showed a nude child. Therefore, under UK law they are prima facie indecent child abuse material. It is illegal to make, possess, and distribute such material.
Fortunately the police probably decided you had a legitimate reason:
Prosecutors are reminded that where an intimate image is made, published, sent or stored for clinical reasons in accordance with the operational guidance led by NHS England and Improvement, this will normally amount to a “legitimate reason” in relation to the patient and/or carer and to any clinician involved in the process.
Did you follow the “operational guidance led by NHS England and Improvement”? Do you even know what they are?
You were lucky not to be charged and your doctor is an idiot. Catch a different police officer on a different day in a different mood and you could have found yourself trying to convince a jury of your legitimate reason.
Google was not mistaken in determining that you had potentially posted child abuse material.
Is there a breach of GDPR?
Maybe.
The photos are PII and special category data.
It is lawful to share such data with law enforcement if there is a lawful basis for doing so under Article 6 and a condition for processing under Article 9. Without knowing Google’s reasons for sharing the data, it’s impossible to know if they complied with this.
Their privacy policy does say that they will share data to “Protect against harm to the rights, property or safety of Google, our users or the public as required or permitted by law.”
Based on your description, it appears that Google did not share any PII until law enforcement requested it. Now, it’s obvious that by reporting that they potentially had indecent images of a child that such a request would follow but the distinction is significant.
Google still need to comply with the GDPR but they are more likely to meet the balancing test for legitimate interest if they are responding to a request. Google probably should have shared only the photos for the police to assess if further investigation was warranted - the GDPR requires the sharing of only required information.
Google’s actions probably warrant investigation even though it’s likely they can justify them to the regulator.