NHS trust that revealed email addresses of 781 HIV patients is fined £180,000

Clinic entered email addresses into the 'to' field instead of the 'bcc' field

Chelsea and Westminster Hospital NHS Foundation Trust has been fined £180,000 by the Information Commissioner's Office (ICO), after it revealed the email addresses of 780 HIV patients.

The data breach first came to light in September 2015, when it was found that 56 Dean Street, a clinic within the trust, based in Soho, sent a newsletter to 781 patients. The email addresses were entered into the "to" field instead of the blind carbon copy (bcc) field, meaning that recipients of the email could see the email addresses of all the other recipients. At the time, the ICO said it would investigate the matter.

In its enforcement notice, the ICO said that the Trust had made a similar error back in March 2010 when a member of staff in the Trust's pharmacy department sent a questionnaire to 17 patients - again email addresses were entered into the ‘to' field instead of the ‘bcc' field. The Trust put in place some remedial measures following the breach but didn't put in place any specific training to remind staff to double check that the group email addresses were entered into the correct field. It also didn't replace the email accounts it was using with an account that could send a separate email to each service user on the distribution list.

After the commissioner's investigation into the more recent data breach, it found that 730 of the 781 group email addresses contained the full names of service users. One of the service users had re-located to Essex and should have been removed from the distribution list altogether.

The clinic did not inform the service users when they subscribed to a service known as Option E - which was meant for patients with HIV to receive results and make appointments/enquiries by email - that their email addresses would be used to send newsletters to the other service users by bulk email.

The ICO said that the distress suffered by the service users "is considered to extend beyond mere irritation", and that if the information was misused by those who had access to it or disclosed to untrustworthy third parties, further distress could be caused.

The ICO will reduce the monetary penalty by 20 per cent to £144,000 if it receives the full payment by 2 June 2016. The early payment discount is not available if the Trust decides to exercise its right of appeal.

Back in September, when the Trust first revealed the details of the data breach, the Trust's director for sexual health, Dr Alan McOwan, wrote to patients affected to apologise for the error, adding that this was "clearly unacceptable".

A statement from the Trust's medical director and Caldicott guardian Zoe Penn, said that the clinic had since put in place safeguards including deleting the original email distribution list, limiting the opportunity of group email distribution, making the Option E newsletter available only from the public website and, where group email is required, putting a two hour delay on recipients receiving group emails.

Penn said that in order to minimise the potential for human error, the Trust "bought an IT solution that will physically prevent anyone being able to send a group email incorrectly detailing the recipients, the implementation of which will be complete next month".

Penn said that the clinic had kept in touch with affected individuals, with their consent, to update them on the actions the Trust has taken to ensure this doesn't happen again.

To hear more about security challenges, the threats they pose and how to combat them, sign up for Computing 's Enterprise Security and Risk Management conference, taking place on 24 November.