Data protection: NHS Trust fined £180,000 for HIV data leak in breach of medical confidence case

Chelsea and Westminster Hospital NHS Foundation Trust has been fined £180,000 by the Information Commissioner’s Office (ICO) as a result of a serious data breach by the 56 Dean Street sexual health clinic in which hundreds of patients' HIV status were inadvertently disclosed in an emailed newsletter.

A number of patients signed up to receive the Clinic's 'Option E' newsletter, which contained information on HIV treatment and support. When one of these newsletters was distributed in September 2015 the clinic revealed the email addresses of all 781 recipients of the email to all other recipients by mistakenly not using the ‘bcc’ email address option as was its normal practice. It is believed that 730 of the 781 group email addresses contained the full names of service users.

The ICO found that the Trust had: (i) failed to use an account that could send a separate e-mail to each service user, and (ii) failed to provide staff with specific training on the importance of double checking that email addresses were entered into the ‘bcc’ field.

As a result of the breach the recipients of the e-mail could infer the HIV status of many of the other recipients. This clearly amounted to confidential and sensitive personal data. The ICO therefore found that there had been a “serious contravention of section 4(4) of the Data Protection Act by the data controller” under section 55A(1)(a) of the DPA.

The ICO found that this would cause distress to the service users who knew that their names had been disclosed to other recipients who could infer their HIV status, particularly when the Trust serves a small geographic area, meaning it is more likely that affected individuals knew each other.

The Trust was fined because the data protection breach was of a kind likely to cause substantial distress and the Trust knew or ought to have envisaged the risks and did not take reasonable steps to prevent the breach taking place.

The fine was particularly substantial because of a previous incident which had occurred at the Trust in March 2010 when a member of staff in the pharmacy department had sent a questionnaire to 17 patients in relation to their access to HIV treatment, and mistakenly entered the e-mail addresses into the ‘to’ field rather than the ‘bcc’ field.

In relation to the September 2015 incident, a total of 15 individuals complained to the Trust, and nine individuals complained to the ICO.

The Trust’s fine will be reduced by 20% to £144,000 if it pays by 2 June 2016.

Click here if you require more information on how Brett Wilson LLP privacy solicitors can assist you if your privacy has been breached.