One of Britain's leading sexual health clinics has apologised after it accidentally shared the personal details of nearly 800 patients diagnosed with HIV. The 56 Dean Street clinic in Soho, Central London, admitted it accidentally sent out the names and email addresses of 780 HIV patients in a newsletter and have launched an investigation.
The data breach is thought to be the biggest of its kind seen in the UK. The clinic sent out a follow-up email to all its patients in which it apologised for the "human error".
The newsletter, which contains information on HIV services and treatment and also allows users book appointments, is sent out monthly. The other recipients of the email are not usually visible to anyone else. However, due to the administration error, the names and emails addresses of the other patients were included on the recipient list.
One patient, who wished to remain anonymous, described to beyondpositive his disappointment in how the clinic handled his personal data. The patient added: "56 Dean Street have a service called Option E – that's for patients who prefer to book appointments and get results via email. They send a regular email newsletter to their patients, keeping them updated.
"However, yesterday [Tuesday 1 Sept], instead of putting a batch of several hundred or so email addresses in the BCC box, they put them in the to box, thereby revealing the people's full names and email addresses to every other recipient; and, of course, because they're all Option E customers, we also now know their HIV status."
"This is serious breach of data protection. There are several names I recognise from the list, and while I am of course being discreet, I am not sure I trust every other person on the list to do the same."
Tony Pepper, CEO for security specialist Egress, described the leak as a "shocking breach of trust". He added: "Particularly given that it was a patient that uncovered the error which could cause a lot of distress to the individuals involved. HIV is a particularly sensitive issue, for people to have this highly personal information sent in error is unacceptable. Yet we keep seeing breaches of these kinds occur. This is particularly frustrating when lessons could have been learned from similar breaches to improve employee education on data protection and best practice when handling sensitive information."
The apology email, from Dr Alan McOwan, Chelsea and Westminster hospital NHS trust's director for sexual health, said: "I'm writing to apologise to you. This morning at around 11.30am at we sent you the latest edition of OptionE newsletter.
"This is normally sent to individuals on an individual basis but unfortunately we sent out today's email to a group of email addresses. We apologise for this error. We recalled/deleted the email as soon as we realised what had happened. If it is still in your inbox please delete it immediately.
"Clearly this is completely unacceptable. We are urgently investigating how this has happened and I promise you that we will take steps to ensure it never happens again. We will send you the outcome of the investigation."
A spokesperson for the Chelsea and Westminster Hospital said: "We can confirm that due to an administrative error, a newsletter about services at 56 Dean Street was sent to an email group rather than individual recipients. We have immediately contacted all the email recipients to inform them of the error and apologise."
The clinic said concerned patients can call 020 3315 9555 and 020 3315 9594, both of which are open until 6pm.