Data stored by a HIV clinic in London has been leaked, revealing personal information for almost 800 patients and resulting in the 56 Dean Street clinic being fined £180,000.
A newsletter was sent out by the sexual health clinic in September 2015, but instead of all the recipients’ email addresses being entered into the “bcc” field, they were accidentally entered into the “To” field. This meant that instead of everyone’s email address being hidden from view by fellow recipients (blind-copied), they were viewable to all recipients.
730 of the 781 email addresses contained patients’ full names, and the majority of these patients were HIV positive, although the clinic stressed a number of people were not. Of particular concern to the patients, though, was that because it was a local clinic, their names might have been recognised by others, putting their anonymity at risk.
As a result of the leak, and following an investigation by the Information Commissioner’s Office (ICO), the Chelsea and Westminster Hospital NHS Foundation Trust – who operates the clinic – was fined over the “serious breach of the law”.
Christopher Graham, the Information Commissioner, said: “People’s use of a specialist service at a sexual health clinic is clearly sensitive personal data. The law demands this type of information is handled with particular care following clear rules and, put simply, this did not happen.”
“It is clear that this breach caused a great deal of upset to the people affected,” he continued.
Worryingly, a similar error was found to have occurred at 56 Dean Street back in 2010, when a HIV questionnaire was emailed to 17 people, again using the “To” field rather than blind-copying the recipients in.
The medical director of the Trust, Zoe Penn, has responded to the issue, saying: “We fully accept the ruling of the ICO for what was a serious breach, and we have worked to ensure that it can never happen again. I reiterate my apology to all those that were affected by this incident.”
Image courtesy of 56 Dean Street