NHS hit with £180,000 fine for HIV patients data breach

Dean Street sexual health centre leaked the details of nearly 800 patients last September

An NHS trust has been fined 180,000 after a sexual health facility in central London accidentally leaked the personal details of 780 HIV clinic attendees by email.

The breach occured on 1 September 2015, when the 56 Dean Street clinic in Soho disclosed the names and email addresses of HIV positive patients when it sent out a newsletter that was supposed to be blind carbon copy (BCC) but was instead was sent out with all the details entered in the carbon copy (CC) field.

The Information Commissioner's Office (ICO) handed Chelsea and Westminster Hospital NHS Foundation Trust the fine after conducting an eight-month investigation into how the breach happened and whether it could have been prevented.

At the time, health secretary Jeremy Hunt said the accident was "completely unacceptable" and ordered the Care Quality Commission, which oversees the running of NHS trusts, to examine existing data security measures across the NHS and recommend changes.

Commenting on today's fine, information commissioner Chris Graham said: "It is clear that this breach caused a great deal of upset to the people affected. The clinic served a small area of London, and we know that people recognised other names on the list, and feared their own name would be recognised too. That our investigation found this wasn't the first mistake of this type by the Trust only adds to what was a serious breach of the law."

Graham added: "The Trust was quick to apologise for [its] mistake and has undertaken substantial remedial work since the breach. Nevertheless, it is crucial that the senior management at NHS Trusts understand the requirements of data protection law, and the serious consequences that follow when that law is broken."

The trust fully accepted the ICO's findings, calling the incident a "serious breach", and said it had apologised to the people whose details the clinic had inadvertently revealed.

Medical director and Caldicott guardian Zoe Penn said: "We fully accept the ruling of the ICO for what was a serious breach and we have worked to ensure that it can never happen again. I reiterate my apology to all those that were affected by this incident.

"The immediate safeguards we have put in place at Dean Street have included deleting the original email distribution list, limiting the opportunity of group email distribution, making the Option E Newsletter available only from the public website and, where group email is required, putting a two-hour delay on recipients receiving group emails."

An internal investigation last autumn resulted in 15 trust-wide recommendations, including a review of all policies and procedures for the management of group email and significant staff training to strengthen information governance.

Penn added: "Whilst these safeguards have significantly strengthened our resilience, in order to minimise the potential for human error, we have bought an IT solution that will physically prevent anyone being able to send a group email incorrectly detailing the recipients, the implementation of which will be complete next month."

The trust has kept in touch with the patients whose data was leaked to make them aware of the actions it is taking to improve data protection.

The fine is significantly greater than that issued to the Bloomsbury Patient Network in December 2015, which suffered an almost identical data breach.

Once again, the emails of 200 patients who had attended HIV clinics and signed up to a newsletter were entered into the CC field, rather than BCC - a mistake that had already been made twice in 2014 by the same member of staff.

However, it only received a 250 fine because it is an unincorporated association, rather than a money-making corporation.

This story was originally published on 09/05/16 and updated later that day with comment from Chelsea and Westminster Hospital NHS Foundation Trust and the ICO.

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

Identity Automation launches credential breach monitoring service
phishing

Identity Automation launches credential breach monitoring service

5 Oct 2021
Neiman Marcus data breach hits 4.6 million customers
data breaches

Neiman Marcus data breach hits 4.6 million customers

4 Oct 2021
Indiana notifies 750,000 after COVID-19 tracing data accessed
data breaches

Indiana notifies 750,000 after COVID-19 tracing data accessed

18 Aug 2021
Pearson fined $1 million for downplaying severity of 2018 breach
data breaches

Pearson fined $1 million for downplaying severity of 2018 breach

17 Aug 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
HPE wins networking contract with Birmingham 2022 Commonwealth Games
Network & Internet

HPE wins networking contract with Birmingham 2022 Commonwealth Games

15 Oct 2021