The Information Commissioner's Office (ICO) has issued a 250 fine to sexual health clinic The Bloomsbury Patient Network after it accidentally leaked the details of HIV patients.
Bloomsbury Patient Network sent out the email to 200 of its patients, but instead of blind copying in the email addresses, it accidentally added them in the 'to' field, meaning patients were able to see all the recipients' addresses. The same staff member made this mistake twice in 2014 and it was suggested by the company that 56 of the patients' email addresses revealed their full names.
"Our investigation uncovered initial problems at the Bloomsbury Patient Network back in February that weren't reported to us," head of enforcement at the ICO, Stephen Eckersley said. "They were going to provide training for staff and start using a system that sends separate emails to users. It seems the second incident occurred before they had time to put these measures in place so we had to act."
The regulator said the fine was much smaller than other companies guilty of the same practice would receive because Bloomsbury Patient Network is an unincorporated association rather than a full, money-making company.
"The trustees of Bloomsbury Patient Network are individually liable to pay any monetary penalty which is why the fine is much smaller than usual," Eckersley continued.
"But it's important to warn others that this type of sensitive data can cause huge amounts of distress for the people involved. We need to send a clear message - no matter how small your organisation, you must make sure staff and volunteers are trained to protect personal data."
Another HIV clinic, 56 Dean Street, also made the same mistake, sending out its OptionE newsletter to 780 patients, many of whom were living with HIV.
Normally, the newsletter hides the recipients' details, however, according to The Guardian, a "human mistake" led those details being displayed in full. The person responsible is said to be distraught.
An apology issued by Dr Alan McOwan, director for sexual health at the Chelsea and Westminster hospital NHS trust, which runs the clinic, said: "I'm writing to apologise to you. This morning at around 11.30am we sent you the latest edition of OptionE newsletter.
This is normally sent to individuals on an individual basis but unfortunately we sent out today's email to a group of email addresses. We apologise for this error.
"We recalled/deleted the email as soon as we realised what had happened. If it is still in your inbox please delete it immediately.
Clearly this is completely unacceptable. We are urgently investigating how this has happened and I promise you that we will take steps to ensure it never happens again. We will send you the outcome of the investigation."
The ICO said on Twitter that it is "aware of the incident regarding the 56 Dean Street clinic and [is] making enquiries".
The breach comes exactly one week after holiday firm Thomson sent an email containing the full names, addresses and holiday dates of customers to an unknown number of recipients.
Tony Pepper, CEO of secure software vendor Egress said of this latest incident: "This is a shocking breach of trust, particularly given that it was a patient who uncovered the error ... HIV is a particularly sensitive issue [and] for people to have this highly personal information sent in error is unacceptable. Yet we keep seeing breaches of this kind occur."
"This is particularly frustrating when lessons could have been learned from similar breaches to improve employee education on data protection and best practice when handling sensitive information. Consequently, matching policy with smart information security technology is the best way to protect against human error. For example, if you're sending regular communications, you should take steps in advance to ensure that data is distributed correctly and securely."
