The Information Commissioner's Office (ICO) has issued a fine of £180,000 after Chelsea and Westminster Hospital NHS Foundation Trust exposed the email addresses of 780 HIV patients.
The incident came to light in September 2015 when it was found that 56 Dean Street, a clinic in the trust based in Soho, sent a newsletter to 781 patients.
The email addresses were entered into the 'to' field instead of the blind carbon copy (bcc) field, meaning that every recipient of the email could see the email address of every other recipient.
An ICO enforcement notice said that the trust had made a similar error in March 2010 when a member of staff in the pharmacy department sent a questionnaire to 17 patients, again with email addresses entered into the ‘to' field.
The trust put some remedial measures in place following the breach but did not train staff to double check that the group email addresses were entered into the correct field. It also did not replace the email accounts it was using with an account that could send a separate email to each service user on the distribution list.
The ICO investigation into the more recent data breach found that 730 of the 781 group email addresses contained the full names of service users. One had moved to Essex and should have been taken off the distribution list altogether.
56 Dean Street did not inform patients when they subscribed to a service known as Option E, which was meant for those with HIV to receive results and make appointments/enquiries by email, that their addresses would be used to send newsletters to the other service users by bulk email.
The ICO said that the distress suffered by the patients "is considered to extend beyond mere irritation", and that further distress could be caused if the information had been misused by those who had access to it or disclosed to untrustworthy third parties.
Outgoing information commissioner Christopher Graham explained that the nature of the data was clearly sensitive and could have caused huge problems.
“It is clear that this breach caused a great deal of upset to the people affected. The clinic served a small area of London, and we know that people recognised other names on the list, and feared their own name would be recognised too," he said.
"That our investigation found this wasn’t the first mistake of this type by the trust only adds to what was a serious breach of the law.”
Medical director Zoe Penn said that the Chelsea and Westminster Hospital NHS Foundation Trust fully accepted the ruling and apologised again to all those affected..
She added that changes have been made to how email is used at the trust, including new email software to stop the mistake happening again.
“A clinically led internal investigation took place in the autumn with 15 trust-wide recommendations made. These actions included a review of all policies and procedures for the management of group email, and significant staff training to strengthen information governance," she said.
"Whilst these safeguards have significantly strengthened our resilience, in order to minimise the potential for human error we have bought an IT solution that will physically prevent anyone being able to send a group email incorrectly detailing the recipients, the implementation of which will be complete next month.”
The ICO will reduce the fine by 20 per cent to £144,000 if full payment is received by 2 June. The early payment discount is not available if the Trust decides to exercise its right of appeal.
Dr Alan McOwan, the trust's director for sexual health, apologised for the "clearly unacceptable" error in a letter to affected patients in September, when the trust first revealed details of the data breach.
Mark Vartanyan was working for Norwegian e-healthcare firm Dignio when he was arrested
Samsung can't see a way to profitably compete against Amazon and Google
Fix being rushed out - but not quite as quickly as an ambulance to an emergency
Massive miner Rio Tinto claims 20 per cent of pit-to-port train kilometres in Australia are now driverless
Rio Tinto today, TfL tomorrow?