NHS hit with £180,000 fine for HIV patients data breach

Dean Street sexual health centre leaked the details of nearly 800 patients last September

An NHS trust has been fined 180,000 after a sexual health facility in central London accidentally leaked the personal details of 780 HIV clinic attendees by email.

The breach occured on 1 September 2015, when the 56 Dean Street clinic in Soho disclosed the names and email addresses of HIV positive patients when it sent out a newsletter that was supposed to be blind carbon copy (BCC) but was instead was sent out with all the details entered in the carbon copy (CC) field.

The Information Commissioner's Office (ICO) handed Chelsea and Westminster Hospital NHS Foundation Trust the fine after conducting an eight-month investigation into how the breach happened and whether it could have been prevented.

At the time, health secretary Jeremy Hunt said the accident was "completely unacceptable" and ordered the Care Quality Commission, which oversees the running of NHS trusts, to examine existing data security measures across the NHS and recommend changes.

Advertisement - Article continues below
Advertisement - Article continues below

Commenting on today's fine, information commissioner Chris Graham said: "It is clear that this breach caused a great deal of upset to the people affected. The clinic served a small area of London, and we know that people recognised other names on the list, and feared their own name would be recognised too. That our investigation found this wasn't the first mistake of this type by the Trust only adds to what was a serious breach of the law."

Graham added: "The Trust was quick to apologise for [its] mistake and has undertaken substantial remedial work since the breach. Nevertheless, it is crucial that the senior management at NHS Trusts understand the requirements of data protection law, and the serious consequences that follow when that law is broken."

The trust fully accepted the ICO's findings, calling the incident a "serious breach", and said it had apologised to the people whose details the clinic had inadvertently revealed.

Medical director and Caldicott guardian Zoe Penn said: "We fully accept the ruling of the ICO for what was a serious breach and we have worked to ensure that it can never happen again. I reiterate my apology to all those that were affected by this incident.

"The immediate safeguards we have put in place at Dean Street have included deleting the original email distribution list, limiting the opportunity of group email distribution, making the Option E Newsletter available only from the public website and, where group email is required, putting a two-hour delay on recipients receiving group emails."

An internal investigation last autumn resulted in 15 trust-wide recommendations, including a review of all policies and procedures for the management of group email and significant staff training to strengthen information governance.

Advertisement - Article continues below

Penn added: "Whilst these safeguards have significantly strengthened our resilience, in order to minimise the potential for human error, we have bought an IT solution that will physically prevent anyone being able to send a group email incorrectly detailing the recipients, the implementation of which will be complete next month."

The trust has kept in touch with the patients whose data was leaked to make them aware of the actions it is taking to improve data protection.

The fine is significantly greater than that issued to the Bloomsbury Patient Network in December 2015, which suffered an almost identical data breach.

Once again, the emails of 200 patients who had attended HIV clinics and signed up to a newsletter were entered into the CC field, rather than BCC - a mistake that had already been made twice in 2014 by the same member of staff.

Advertisement - Article continues below

However, it only received a 250 fine because it is an unincorporated association, rather than a money-making corporation.

This story was originally published on 09/05/16 and updated later that day with comment from Chelsea and Westminster Hospital NHS Foundation Trust and the ICO.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now



Health Secretary bans pagers from NHS hospitals

25 Feb 2019
data management

EU-US data transfer tools used by Facebook ruled legal

19 Dec 2019

How to protect against a DDoS attack

25 Oct 2019
data breaches

Ex-Equifax CIO to serve four months for insider trading

2 Jul 2019

Most Popular

data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
cyber security

If not passwords then what?

8 Jan 2020
Policy & legislation

GDPR and Brexit: How will one affect the other?

9 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020