HIV clinic fined £250 for data breach

HIV clinic fined £250 for data breach

A nurse holding a clipboardImage copyright Thinkstock

A health clinic that mistakenly revealed the identity of HIV-positive patients in a group email has been fined £250 by the UK’s data watchdog.

The Bloomsbury Patient Network provides information and support for people who are HIV-positive.

But twice in 2014, staff emailed up to 200 members at a time without obscuring other patients’ email addresses.

The Information Commissioner’s Office (ICO) said it had levied a fine that would not cause “financial hardship”.

Data breach

In February 2014, a member of staff at the Bloomsbury Patient Network emailed up to 200 patients who were HIV-positive.

The email addresses were entered into the “To” field, meaning they were visible to everybody who received the email.

Instead, email addresses should have been entered into the “BCC” field, which would have obscured them from other recipients.

In May 2014, the same member of staff repeated the error.

Serious error

Image copyright Thinkstock
Image caption 56 of the email addresses contained names

The ICO said 56 of the 200 email addresses contained the full or partial real names of patients.

It also noted that the Bloomsbury Patient Network (BPN) had received five complaints.

Considering the subject matter of the email message, it ruled that was a serious breach of data protection laws.

But the amount of the fine was mitigated by the “significant impact on BPN’s reputation as a result of this security breach”.

The BPN has not commented.

Continuing investigation

Another HIV support group, 56 Dean Street, in London, made the same mistake with an email sent in September 2015.

It exposed the names and email addresses of 780 people when a newsletter was issued.

The ICO told the BBC its investigation into that incident was continuing.

Fines for breaches of data protection can reach £500,000.

“No matter how big or small an organisation is, when dealing with sensitive information, policy, procedure, training, and supervision must be in place to reduce the probability of human error occurring,” said Shaun Griffin, executive director of external affairs for Terrence Higgins Trust, an HIV charity which was not implicated in the ICO ruling.

“Incidences such as these are rare, and should not put anybody off getting a test for HIV. Nearly one in six people with HIV does not realise they have it,” he said.

This entry passed through the Full-Text RSS service – if this is your content and you’re reading it on someone else’s site, please read the FAQ at fivefilters.org/content-only/faq.php#publishers.

BBC News – Technology

About the author

Comments are closed.