NHS hit with £180,000 fine for HIV patients data breach

Dean Street sexual health centre leaked the details of nearly 800 patients last September

An NHS trust has been fined 180,000 after a sexual health facility in central London accidentally leaked the personal details of 780 HIV clinic attendees by email.

The breach occured on 1 September 2015, when the 56 Dean Street clinic in Soho disclosed the names and email addresses of HIV positive patients when it sent out a newsletter that was supposed to be blind carbon copy (BCC) but was instead was sent out with all the details entered in the carbon copy (CC) field.

The Information Commissioner's Office (ICO) handed Chelsea and Westminster Hospital NHS Foundation Trust the fine after conducting an eight-month investigation into how the breach happened and whether it could have been prevented.

At the time, health secretary Jeremy Hunt said the accident was "completely unacceptable" and ordered the Care Quality Commission, which oversees the running of NHS trusts, to examine existing data security measures across the NHS and recommend changes.

Advertisement
Advertisement - Article continues below

Commenting on today's fine, information commissioner Chris Graham said: "It is clear that this breach caused a great deal of upset to the people affected. The clinic served a small area of London, and we know that people recognised other names on the list, and feared their own name would be recognised too. That our investigation found this wasn't the first mistake of this type by the Trust only adds to what was a serious breach of the law."

Graham added: "The Trust was quick to apologise for [its] mistake and has undertaken substantial remedial work since the breach. Nevertheless, it is crucial that the senior management at NHS Trusts understand the requirements of data protection law, and the serious consequences that follow when that law is broken."

The trust fully accepted the ICO's findings, calling the incident a "serious breach", and said it had apologised to the people whose details the clinic had inadvertently revealed.

Medical director and Caldicott guardian Zoe Penn said: "We fully accept the ruling of the ICO for what was a serious breach and we have worked to ensure that it can never happen again. I reiterate my apology to all those that were affected by this incident.

"The immediate safeguards we have put in place at Dean Street have included deleting the original email distribution list, limiting the opportunity of group email distribution, making the Option E Newsletter available only from the public website and, where group email is required, putting a two-hour delay on recipients receiving group emails."

An internal investigation last autumn resulted in 15 trust-wide recommendations, including a review of all policies and procedures for the management of group email and significant staff training to strengthen information governance.

Penn added: "Whilst these safeguards have significantly strengthened our resilience, in order to minimise the potential for human error, we have bought an IT solution that will physically prevent anyone being able to send a group email incorrectly detailing the recipients, the implementation of which will be complete next month."

The trust has kept in touch with the patients whose data was leaked to make them aware of the actions it is taking to improve data protection.

The fine is significantly greater than that issued to the Bloomsbury Patient Network in December 2015, which suffered an almost identical data breach.

Once again, the emails of 200 patients who had attended HIV clinics and signed up to a newsletter were entered into the CC field, rather than BCC - a mistake that had already been made twice in 2014 by the same member of staff.

Advertisement
Advertisement - Article continues below

However, it only received a 250 fine because it is an unincorporated association, rather than a money-making corporation.

This story was originally published on 09/05/16 and updated later that day with comment from Chelsea and Westminster Hospital NHS Foundation Trust and the ICO.

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Recommended

Visit/technology/33077/health-secretary-bans-pagers-from-nhs-hospitals
Technology

Health Secretary bans pagers from NHS hospitals

25 Feb 2019
Visit/security/ddos/28039/how-to-protect-against-a-ddos-attack
Security

How to protect against a DDoS attack

25 Oct 2019
Visit/data-breaches/29418/equifax-data-breach-cost-14-billion-so-far/page/0/1
data breaches

Ex-Equifax CIO to serve four months for insider trading

2 Jul 2019
Visit/data-breaches/29418/equifax-data-breach-cost-14-billion-so-far
data breaches

Ex-Equifax CIO to serve four months for insider trading

2 Jul 2019

Most Popular

Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/business/business-strategy/354252/huawei-takes-the-us-trade-sanctions-into-its-own-hands
Business strategy

Huawei takes the US trade sanctions into its own hands

3 Dec 2019
Visit/hardware/354237/five-signs-that-its-time-to-retire-it-kit
Sponsored

Five signs that it’s time to retire IT kit

29 Nov 2019
Visit/mobile/mobile-phones/354273/pablo-escobars-brother-launches-budget-foldable-phone
Mobile Phones

Pablo Escobar's brother launches budget foldable phone

4 Dec 2019