NHS fined £180k for data breach that leaked HIV clinic patient identities
The NHS has been fined thousands of pounds for revealing the identities of hundreds of patients of a London HIV clinic because of an email error.
A newsletter from a sexual health clinic in Soho was sent out to more than 700 users of an HIV service last year with patient email addresses and full names in the "cc" rather than "bcc" field. All but a few of those signed up to the newsletter are living with HIV.
The Information Commissioner's Office has fined the Chelsea and Westminster Hospital NHS Trust, which runs the clinic, £180,000 for seriously breaching the data protection act, but also found it wasn't the first time the mistake had happened, citing a similar incident in 2010.
Read more: I would trust Google with my personal data more than the NHS
“People’s use of a specialist service at a sexual health clinic is clearly sensitive personal data. The law demands this type of information is handled with particular care following clear rules, and put simply, this did not happen," said Information Commissioner Christopher Graham.
“It is clear that this breach caused a great deal of upset to the people affected. The clinic served a small area of London, and we know that people recognised other names on the list, and feared their own name would be recognised too. That our investigation found this wasn’t the first mistake of this type by the Trust only adds to what was a serious breach of the law.”
The NHS must report all breaches to the data regulator, which has the powers to fine organisations up to £500,000. It last week fined an NHS Trust in Blackpool £185,000 for posting the private information of thousands of staff online.