A London-based sexual health clinic has been fined £180,000 by the UK privacy watchdog, after leaking confidential data on nearly 800 people, resulting in the revealing of hundreds of HIV-positive patients. The clinic, based on 56 Dean Street, London, which is run by the Chelsea and Westminster Hospital NHS Foundation Trust, offers treatment for HIV and a range of counselling courses.
It was previously disclosed in September 2015 that the clinic had sent an email newsletter containing sensitive medical information relating to a total of 781 patients in a mass group email – which, in turn, exposed the names and email addresses of those who had signed up for HIV treatments.
Now, following an investigation carried out by the Information Commissioners Office (ICO), it has been revealed that the clinic did not inform patients when they subscribed to the newsletter that their email addresses would be contacted by way of a bulk send, or 'mailout'. Additionally, the ICO found the Trust had made a similar error in March 2010 after a staff member sent a questionnaire to 17 patients in a group email that mentioned HIV treatment.
Christopher Graham, who manages the independent watchdog, said: "People's use of a specialist service at a sexual health clinic is clearly sensitive personal data. The law demands this type of information is handled with particular care following clear rules, and put simply, this did not happen" in a report published by The Guardian on 9 May
"It is clear that this breach caused a great deal of upset to the people affected. The clinic served a small area of London, and we know that people recognised other names on the list, and feared their own name would be recognised too. That our investigation found this wasn't the first mistake of this type by the Trust only adds to what was a serious breach of the law.
"The Trust was quick to apologise for their mistake, and has undertaken substantial remedial work since the breach. Nevertheless, it is crucial that the senior managers at NHS Trusts understand the requirements of data protection law, and the serious consequences that follow when that law is broken." The ICO Tweeted on Monday afternoon (9 May) that they had fined the London NHS trust for revealing the confidential data.
Meanwhile, Zoe Penn, the 56 Dean Street clinic's medical director, said: "We fully accept the ruling of the ICO for what was a serious breach and we have worked to ensure that it can never happen again. I reiterate my apology to all those that were affected by this incident. We have kept in touch with affected individuals, with their consent, to update them on the actions we have and will continue to take in order to prevent others from being put in a similar situation in the future."
At the time of the initial incident UK Health Secretary Jeremy Hunt said: "Nothing matters more to us than our own health, but we must also understand that for NHS patients nothing matters more to them than confidence that the NHS will look after their own personal medical data with the highest standards of security."
As reported by The Guardian, while speaking at the annual NHS conference in Manchester last year, Hunt added: "The truth is the NHS has not won the public's trust in our ability to do this as [the] completely unacceptable data breach at the Dean Street surgery demonstrates."