NHS hit with £180,000 fine for HIV patients data breach

Dean Street sexual health centre leaked the details of nearly 800 patients last September

An NHS trust has been fined 180,000 after a sexual health facility in central London accidentally leaked the personal details of 780 HIV clinic attendees by email.

The breach occured on 1 September 2015, when the 56 Dean Street clinic in Soho disclosed the names and email addresses of HIV positive patients when it sent out a newsletter that was supposed to be blind carbon copy (BCC) but was instead was sent out with all the details entered in the carbon copy (CC) field.

The Information Commissioner's Office (ICO) handed Chelsea and Westminster Hospital NHS Foundation Trust the fine after conducting an eight-month investigation into how the breach happened and whether it could have been prevented.

At the time, health secretary Jeremy Hunt said the accident was "completely unacceptable" and ordered the Care Quality Commission, which oversees the running of NHS trusts, to examine existing data security measures across the NHS and recommend changes.

Advertisement - Article continues below
Advertisement - Article continues below

Commenting on today's fine, information commissioner Chris Graham said: "It is clear that this breach caused a great deal of upset to the people affected. The clinic served a small area of London, and we know that people recognised other names on the list, and feared their own name would be recognised too. That our investigation found this wasn't the first mistake of this type by the Trust only adds to what was a serious breach of the law."

Graham added: "The Trust was quick to apologise for [its] mistake and has undertaken substantial remedial work since the breach. Nevertheless, it is crucial that the senior management at NHS Trusts understand the requirements of data protection law, and the serious consequences that follow when that law is broken."

The trust fully accepted the ICO's findings, calling the incident a "serious breach", and said it had apologised to the people whose details the clinic had inadvertently revealed.

Medical director and Caldicott guardian Zoe Penn said: "We fully accept the ruling of the ICO for what was a serious breach and we have worked to ensure that it can never happen again. I reiterate my apology to all those that were affected by this incident.

"The immediate safeguards we have put in place at Dean Street have included deleting the original email distribution list, limiting the opportunity of group email distribution, making the Option E Newsletter available only from the public website and, where group email is required, putting a two-hour delay on recipients receiving group emails."

An internal investigation last autumn resulted in 15 trust-wide recommendations, including a review of all policies and procedures for the management of group email and significant staff training to strengthen information governance.

Advertisement - Article continues below

Penn added: "Whilst these safeguards have significantly strengthened our resilience, in order to minimise the potential for human error, we have bought an IT solution that will physically prevent anyone being able to send a group email incorrectly detailing the recipients, the implementation of which will be complete next month."

The trust has kept in touch with the patients whose data was leaked to make them aware of the actions it is taking to improve data protection.

The fine is significantly greater than that issued to the Bloomsbury Patient Network in December 2015, which suffered an almost identical data breach.

Once again, the emails of 200 patients who had attended HIV clinics and signed up to a newsletter were entered into the CC field, rather than BCC - a mistake that had already been made twice in 2014 by the same member of staff.

Advertisement - Article continues below

However, it only received a 250 fine because it is an unincorporated association, rather than a money-making corporation.

This story was originally published on 09/05/16 and updated later that day with comment from Chelsea and Westminster Hospital NHS Foundation Trust and the ICO.

Featured Resources

How inkjet can transform your business

Get more out of your business by investing in the right printing technology

Download now

Journey to a modern workplace with Office 365: which tools and when?

A guide to how Office 365 builds a modern workplace

Download now

Modernise and transform your sales organisation

Learn how a modernised sales process can drive your business

Download now

Your guide to managing cloud transformation risk

Realise the benefits. Mitigate the risks

Download now



Health Secretary bans pagers from NHS hospitals

25 Feb 2019
data management

EU-US data transfer tools used by Facebook ruled legal

19 Dec 2019

How to protect against a DDoS attack

25 Oct 2019
data breaches

Ex-Equifax CIO to serve four months for insider trading

2 Jul 2019

Most Popular


How to use Chromecast without Wi-Fi

5 Feb 2020

The top ten password-cracking techniques used by hackers

10 Feb 2020
Microsoft Windows

Windows 7 bug blocks users from shutting down their PCs

10 Feb 2020

Coronavirus starts to take its toll on the tech industry

6 Feb 2020