A clinic that provides sexual health services to patients has been fined £180,000 for a data breach that occurred last year.
56 Dean Street (SoHo) is a clinic that operates within the Chelsea and Westminster Hospital National Health Service (NHS) Foundation Trust. It is well known for the services it provides to patients with HIV. As part of those services, the clinic offers patients "Option E," or the means to receive test results, schedule appointments, and receive newsletters via email.
According to a report submitted by the United Kingdom Information Commissioner's Office (PDF), the data breach occurred in late summer of 2015 as a result of a sending error involving the Option E service.
"On 1 September 2015, a member of staff in the clinic sent a newsletter to the 781 subscribers of the Option E service. The e-mail addresses were… entered into the 'to' field instead of the blind carbon copy ('bcc') field in error. The recipients of the e-mail could therefore see the e-mail addresses of all the other recipients."
The full names belonging to 730 of those 781 subscribers were included in the leaked emails. Subscribers could therefore use those names to look up many of the clinic's patients online.
To make matters worse, the NHS Trust had an opportunity to prevent an incident like this from happening several years ago.
"What makes the incident even more unacceptable is that the trust failed to learn the lessons from a similar smaller-scale incident, also investigated by the information commissioner, that occurred in 2010," said Sean Humber from the legal firm Leigh Day, who is acting on behalf of more than 20 of the patients affected by the breach. "Had the trust taken the necessary remedial measures then, it is likely that this later more serious breach would not have occurred."
In March of 2010, a member of the Trust's Pharmacy Department sent out a questionnaire to 17 patients that inquired about their access to HIV treatment, as reported by The Guardian.
Their emails were entered into the "to" field and not the "bcc" field, meaning the recipients could see the email addresses of everyone else who received the questionnaire.
The Trust did implement some modifications to its internal policies following the breach, but according to the ICO, it failed to achieve meaningful change:
"The Trust put in place some remedial measures following this security breach. However, there was no specific training to remind staff to double check that the group e-mail addresses were entered into the correct field. In addition, the Trust did not replace the e-mail account it was using with an account that could send a separate e-mail to each service user on the distribution list."
For its failure to adequately protect patients' information and to conduct appropriate staff training, the Trust has been fined a monetary penalty of £180,000.
The ICO has demanded that the penalty be paid in full by June 3, 2016. If the entire amount has been paid by June 2, the iCO will reduce the penalty by 20 percent to £144,000.