HIV clinic fined £250 for data breach By Chris Fox

Technology reporter Published duration 18 December 2015

image copyright Thinkstock

A health clinic that mistakenly revealed the identity of HIV-positive patients in a group email has been fined £250 by the UK's data watchdog.

The Bloomsbury Patient Network provides information and support for people who are HIV-positive.

But twice in 2014, staff emailed up to 200 members at a time without obscuring other patients' email addresses.

The Information Commissioner's Office (ICO) said it had levied a fine that would not cause "financial hardship".

Data breach

In February 2014, a member of staff at the Bloomsbury Patient Network emailed up to 200 patients who were HIV-positive.

The email addresses were entered into the "To" field, meaning they were visible to everybody who received the email.

Instead, email addresses should have been entered into the "BCC" field, which would have obscured them from other recipients.

In May 2014, the same member of staff repeated the error.

Serious error

image copyright Thinkstock image caption 56 of the email addresses contained names

The ICO said 56 of the 200 email addresses contained the full or partial real names of patients.

Considering the subject matter of the email message, it ruled that was a serious breach of data protection laws.

But the amount of the fine was mitigated by the "significant impact on BPN's reputation as a result of this security breach".

A spokesperson for the BPN told the BBC: "We have paid the fine without making any appeal, acknowledging that our old mailing system was flawed in its potential for human error."

"We were in the process of changing systems when the breach in question occurred and we have since been using a secure and anonymous mailing system."

Continuing investigation

Another HIV support group, 56 Dean Street, in London, made the same mistake with an email sent in September 2015.

It exposed the names and email addresses of 780 people when a newsletter was issued.

The ICO told the BBC its investigation into that incident was continuing.

Fines for breaches of data protection can reach £500,000.

"No matter how big or small an organisation is, when dealing with sensitive information, policy, procedure, training, and supervision must be in place to reduce the probability of human error occurring," said Shaun Griffin, executive director of external affairs for Terrence Higgins Trust, an HIV charity which was not implicated in the ICO ruling.

"Incidences such as these are rare, and should not put anybody off getting a test for HIV. Nearly one in six people with HIV does not realise they have it," he said.

Related Topics Cyber-security