London Clinic Worker Forgets To Use BCC, Outs 700 HIV Patients

Worse, it wasn't the first time

Illustration: Diana Quach
May 09, 2016 at 4:07 PM ET

A London health clinic has been fined £180,000 ($258,992) for accidentally revealing the email addresses—and in most cases, names—of hundreds of patients infected with HIV.

56 Dean Street, a sexual health clinic that provides free HIV testing to the public, relies on email services to make appointments with patients and to send them a sporadic newsletter. When sending out its September newsletter, one clinic employee made an enormous mistake, and forgot to BCC its 781 recipients. Of those exposed email addresses, 730 clearly included their owner’s full name. Most, but not all, were infected with HIV, according to the Information Commissioner’s Office, which regulates U.K. data protection.

“People’s use of a specialist service at a sexual health clinic is clearly sensitive personal data. The law demands this type of information is handled with particular care following clear rules, and put simply, this did not happen,” Information Commissioner Christopher Graham said in a statement.

“It is clear that this breach caused a great deal of upset to the people affected. The clinic served a small area of London, and we know that people recognized other names on the list, and feared their own name would be recognized too,” he added.

The U.K. has fairly strict data protection laws. Graham’s office found that the Chelsea and Westminster Hospital NHS Foundation Trust, which runs 56 Dean Street owners, was “likely to have caused substantial distress” and had violated the country’s Data Protection Act of 1998, which demands “a level of security appropriate to the harm that might result from such unauthorized or unlawful processing [of] the nature of the data to be protected.”

This isn’t the first time 56 Dean Street exposed its patients. An employee committed a similar error in 2010, sending a questionnaire to 17 people without hiding their email addresses.

According to ICO, staff didn’t receive specific training after the 2010 incident to always put patients’ email addresses into the BCC field when contacting multiple people.