A London sexual health clinic has unwittingly sent an email newsletter disclosing the names and email addresses of 780 people, revealing hundreds of HIV-positive patients.
The 56 Dean Street clinic, which is based in central London and run by the Chelsea and Westminster Hospital NHS Foundation Trust, offers treatment for HIV and provides sexual counselling alongside a full range of medical treatments.
The newsletter was sent to patients signed up to ‘option E’, which allows them to book appointments and receive test results by email. However, a staff member mistakenly copied in hundreds of names and sent the details as a group email.
Dr Alan McOwan, Chelsea and Westminster Trust director for sexual health, quickly set up a helpline for affected patients and issued an apology.
“I’m writing to apologise to you. This morning at around 11.30am we sent you the latest edition of Option E newsletter,” said McOwan in the email, reported by the Guardian.
“This is normally sent to individuals on an individual basis but unfortunately we sent out today’s email to a group of email addresses. We apologise for this error. We recalled/deleted the email as soon as we realised what had happened. If it is still in your inbox please delete it immediately.”
The Information Commissioner’s Office, which can enforce fines of up to £500,000 for serious data breaches, is aware of the incident and is making further enquiries.
Jacob Ginsberg, senior director at security firm Echoworx, explained that the breach was entirely preventable.
“Healthcare institutions need systems that provide complete visibility and control over the distribution of email and sensitive corporate documents so that they can ensure the protection of their patients’ personal information,” he said.
“The ubiquitous nature of the internet makes it easy for confidential information to find its way into the wrong hands. The security of data online must be viewed as a priority by everyone, especially in healthcare.”
Luke Brown, vice president and general manager at Digital Guardian, added that a mistake of this kind can have “life-altering effects”.
“Not only has 56 Dean Street revealed its customers’ medical diagnoses, but by not carefully protecting their data, their customers’ life insurance, employment opportunities and many other areas of their lives could be affected,” he said.
Tony Pepper, chief executive at security firm Egress, called the mistake a “shocking breach of trust”.
“This is particularly frustrating when lessons could have been learned from similar breaches to improve employee education on data protection and best practice when handling sensitive information,” he said.
“HIV is a particularly sensitive issue. For people to have this highly personal information sent in error is unacceptable.”