The NHS has been fined £180,000 after a sexual health centre leaked the details of almost 800 patients who had attended HIV clinics.
By Chris Foxx, Technology reporter
The 56 Dean Street clinic in London sent out a newsletter in 2015 that mistakenly revealed the recipients’ email addresses to one another.
Patients were supposed to be blind-copied into the email but instead details were sent as a group email.
The Information Commissioner said it was a “serious breach of the law”.
“People’s use of a specialist service at a sexual health clinic is clearly sensitive personal data,” said Information Commissioner Christopher Graham.
“The law demands this type of information is handled with particular care following clear rules and, put simply, this did not happen.
“It is clear that this breach caused a great deal of upset to the people affected.”
The email error, made in September 2015, meant that 781 people who had attended HIV clinics and opted in to an online service could see the names and email addresses of other patients.
At the time, the clinic’s consultant Dr Alan McOwan said: “We screwed up on this one”.
The clinic stressed that not all the people who received the newsletter were HIV positive, but 730 of the email addresses on the list contained the full names of their owners.
“The clinic served a small area of London and we know that people recognised other names on the list, and feared their own name would be recognised too,” said Mr Graham.
The investigation by the Information Commissioner’s Office (ICO) found that the Chelsea and Westminster Hospital NHS Foundation Trust, which operates 56 Dean Street, had made a similar error in 2010.
A pharmacy employee had emailed an HIV treatment questionnaire to 17 patients, also entering emails in the “to” field instead of the “bcc” field.
“That our investigation found this wasn’t the first mistake of this type by the Trust only adds to what was a serious breach of the law,” said Mr Graham.
The Trust’s Medical Director Zoe Penn said: “We fully accept the ruling of the ICO for what was a serious breach and we have worked to ensure that it can never happen again.
“I reiterate my apology to all those that were affected by this incident.
“We have kept in touch with affected individuals, with their consent, to update them on the actions we have and will continue to take in order to prevent others from being put in a similar situation in the future.”