London NHS trust fined £180,000 after second bcc fail on HIV email list

The Information Commissioner's Office (ICO) has handed down a £180,000 fine to an NHS trust in London after it revealed the email addresses of more than 700 users of an HIV information service.

The data blunder occurred last year when a sexual health clinic at 56 Dean Street, which is operated as part of Chelsea and Westminster NHS Foundation Trust, failed to "bcc" recipients of the clinic's OptionE newsletter, circulated amongst those involved in HIV treatment.

The ICO said that 781 email addresses were included, with 730 containing people's full names. The ICO stated "A small number of people who received the newsletter did not have HIV".

An ICO investigation found that the trust had actually made a similar error previously. In March 2010 a member of staff in the pharmacy department sent a questionnaire to 17 patients in relation to their HIV treatment, entering emails in the "to" field instead of the "bcc" field.

"While some remedial measures were put in place following this mistake, there was no specific training implemented," the ICO reported.

The commish himself, Christopher Graham, said: “People’s use of a specialist service at a sexual health clinic is clearly sensitive personal data. The law demands this type of information is handled with particular care following clear rules, and put simply, this did not happen.

“It is clear that this breach caused a great deal of upset to the people affected. The clinic served a small area of London, and we know that people recognised other names on the list, and feared their own name would be recognised too. That our investigation found this wasn’t the first mistake of this type by the Trust only adds to what was a serious breach of the law.” ®