Chelsea and Westminster Hospital NHS Foundation Trust has been fined £180,000 after it accidentally revealed the emails of HIV patients and was judged to have breached the Data Protection Act.
One of Soho’s most frequented and well known sexual health clinics, 56 Dean Street, unwittingly revealed the private emails of over 700 HIV patients in an email newsletter.
Reportedly due to an error, recipients of the newsletter could see the email addresses of fellow HIV patients as they had been incorrectly entered into the ‘to’ field, rather than the ‘bcc’ field.
730 of the 781 email addresses contained people’s full name, including some patients who did not actually have HIV.
The Information Commissioner’s Office (ICO) found there had been a “serious breach of the Data Protection Act, which was likely to have caused substantial distress.”
Christopher Graham, Information Commissioner explained that “the law demands this type of information is handled with particular care following clear rules, and put simply, this did not happen.” Adding that the clinic “served a small area of London, and we know that people recognised other names on the list, and feared their own name would be recognised too.”
In March 2010, the ICO found that the same NHS Trust had previously made a similar error when a member of staff in the pharmacy department sent a questionnaire to 17 patients. Likewise, the member of staff entered emails into the ‘to’ field instead of the ‘bcc’ field.
For this reason, Graham said “our investigation found this wasn’t the first mistake of this type by the Trust” which “only adds to what was a serious breach of the law.”
HM Treasury’s Consolidated Fund will receive the full £180,000.