UK National Health Service fined over HIV patient data leak

A London NHS trust has been fined £180,000 by the UK Information Commissioner’s Office (ICO) after accidentally leaking the names of over 700 HIV sufferers.

dean-street-hiv-data-leak.jpg

The ICO, responsible for upholding the UK’s Data Protection Act, said on Monday that 56 Dean Street, an NHS sexual clinic based in Soho, revealed this information through a newsletter service.

The clinic offers HIV results and appointments through email, and as part of the service, newsletters were occasionally sent out. A costly error, however, revealed that the September 2015 edition of the newsletter allowed all recipients to see each others’ email addresses.

The message was sent through the ‘to’ rather than ‘bcc’ field. ‘To’ allows recipients to see everyone else while ‘bcc’ blinds users to each other.

In total, 730 out of the 781 registered email addresses revealed the full name of the patient — and in addition, a number of those who were sent the newsletter did not have HIV.

Today, in a cybersecurity landscape where data breaches are a common occurrence, the accidental release of names — especially in such a small number — isn’t such a big deal. However, when the data breach is in the health sector and relates to conditions such as HIV, the information leak can be devastating to sufferers who may wish to keep their condition private or have not told others about the diagnosis.

Chelsea and Westminster Hospital NHS Foundation Trust, which runs the clinic, must pay the price of the breach, which the ICO said likely caused “substantial distress” to the victims.

Information Commissioner Christopher Graham said:

“People’s use of a specialist service at a sexual health clinic is clearly sensitive personal data. The law demands this type of information is handled with particular care following clear rules, and put simply, this did not happen.

The clinic served a small area of London, and we know that people recognised other names on the list, and feared their own name would be recognised too.”

This is not the first time the trust has made such an error. In 2010, a member of staff also made the same mistake when sending an HIV treatment questionnaire to 17 patients.

“That our investigation found this wasn’t the first mistake of this type by the Trust only adds to what was a serious breach of the law,” said Graham.

More security news

Read on: Top picks