The NHS has been fined £180,000 after a blunder at a London HIV clinic revealed the names and email addresses of more than 700 patients.
In September 2015, an employee at the 56 Dean Street clinic sent out its newsletter for HIV patients — but entered its recipients’ in the “To” field instead of the “bcc” field.
As a result, the email addresses of every recipient was viewable to everyone other recipient — and for 730 of the 781 recipients, their full name as well.
The ICO (Information Commissioner’s Office), the British data watchdog, announced the £180,000 fine on Monday.
The newsletter is intended for people with HIV, meaning that the mistake effectively disclosed the recipients’ HIV status to hundreds of other people — though the ICO says a “small number” of people on the mailing list do not have HIV.
It’s actually the second time this has happened to the Chelsea and Westminster Hospital Foundation Trust, the NHS trust responsible for 56 Dean Street. Back in 2010, a questionnaire sent to patients about HIV treatments also didn’t “bcc” in recipients — although that error was far smaller, affecting only 17 rather than nearly 800.
“People’s use of a specialist service at a sexual health clinic is clearly sensitive personal data. The law demands this type of information is handled with particular care following clear rules, and put simply, this did not happen,” information commissioner Christopher Graham said in a statement.
“It is clear that this breach caused a great deal of upset to the people affected. The clinic served a small area of London, and we know that people recognised other names on the list, and feared their own name would be recognised too. That our investigation found this wasn’t the first mistake of this type by the Trust only adds to what was a serious breach of the law.”