IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

NHS hit with £180,000 fine for HIV patients data breach

Dean Street sexual health centre leaked the details of nearly 800 patients last September

An NHS trust has been fined 180,000 after a sexual health facility in central London accidentally leaked the personal details of 780 HIV clinic attendees by email.

The breach occured on 1 September 2015, when the 56 Dean Street clinic in Soho disclosed the names and email addresses of HIV positive patients when it sent out a newsletter that was supposed to be blind carbon copy (BCC) but was instead was sent out with all the details entered in the carbon copy (CC) field.

The Information Commissioner's Office (ICO) handed Chelsea and Westminster Hospital NHS Foundation Trust the fine after conducting an eight-month investigation into how the breach happened and whether it could have been prevented.

At the time, health secretary Jeremy Hunt said the accident was "completely unacceptable" and ordered the Care Quality Commission, which oversees the running of NHS trusts, to examine existing data security measures across the NHS and recommend changes.

Commenting on today's fine, information commissioner Chris Graham said: "It is clear that this breach caused a great deal of upset to the people affected. The clinic served a small area of London, and we know that people recognised other names on the list, and feared their own name would be recognised too. That our investigation found this wasn't the first mistake of this type by the Trust only adds to what was a serious breach of the law."

Graham added: "The Trust was quick to apologise for [its] mistake and has undertaken substantial remedial work since the breach. Nevertheless, it is crucial that the senior management at NHS Trusts understand the requirements of data protection law, and the serious consequences that follow when that law is broken."

The trust fully accepted the ICO's findings, calling the incident a "serious breach", and said it had apologised to the people whose details the clinic had inadvertently revealed.

Medical director and Caldicott guardian Zoe Penn said: "We fully accept the ruling of the ICO for what was a serious breach and we have worked to ensure that it can never happen again. I reiterate my apology to all those that were affected by this incident.

"The immediate safeguards we have put in place at Dean Street have included deleting the original email distribution list, limiting the opportunity of group email distribution, making the Option E Newsletter available only from the public website and, where group email is required, putting a two-hour delay on recipients receiving group emails."

An internal investigation last autumn resulted in 15 trust-wide recommendations, including a review of all policies and procedures for the management of group email and significant staff training to strengthen information governance.

Penn added: "Whilst these safeguards have significantly strengthened our resilience, in order to minimise the potential for human error, we have bought an IT solution that will physically prevent anyone being able to send a group email incorrectly detailing the recipients, the implementation of which will be complete next month."

The trust has kept in touch with the patients whose data was leaked to make them aware of the actions it is taking to improve data protection.

The fine is significantly greater than that issued to the Bloomsbury Patient Network in December 2015, which suffered an almost identical data breach.

Once again, the emails of 200 patients who had attended HIV clinics and signed up to a newsletter were entered into the CC field, rather than BCC - a mistake that had already been made twice in 2014 by the same member of staff.

However, it only received a 250 fine because it is an unincorporated association, rather than a money-making corporation.

This story was originally published on 09/05/16 and updated later that day with comment from Chelsea and Westminster Hospital NHS Foundation Trust and the ICO.

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Recommended

Cyber attack on software supplier causes "major outage" across the NHS
cyber attacks

Cyber attack on software supplier causes "major outage" across the NHS

8 Aug 2022
DHSC sets out ambitious targets for NHS App by 2023, beyond
Business strategy

DHSC sets out ambitious targets for NHS App by 2023, beyond

29 Jun 2022
Ten ways to protect your company from the next big data breach
data breaches

Ten ways to protect your company from the next big data breach

18 Feb 2022
Gumtree site code made personal data of users and sellers publicly accessible
data protection

Gumtree site code made personal data of users and sellers publicly accessible

16 Dec 2021

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
Samsung proposes 11 Texas semiconductor plants worth $191 billion
Hardware

Samsung proposes 11 Texas semiconductor plants worth $191 billion

21 Jul 2022
Should you take your password manager off the internet?
Sponsored

Should you take your password manager off the internet?

28 Jul 2022