Breach, Data Security

London NHS trust fined £180K by Information Commissioner for HIV data leak

The 56 Dean Street sexual health clinic based in Soho, London, has been slapped with a £180,000 fine by the Information Commissioner for leaking sensitive patient information last year.

In September, 780 patients of 56 Dean Street – who had signed up for email notification of their test results and other information – received an email newsletter with recipients names and email addresses exposed in the ‘to' line.

The Information Commissioner's Office (ICO) found that there had been a serious breach of the Data Protection Act which was likely to cause great distress.

Patients at the time were quoted in The Guardian newspaper saying that they recognised names of people on the list to whom they had not previously disclosed their own HIV status.

Of today's judgement, the information commissioner Christopher Graham said, “People's use of a specialist service at a sexual health clinic is clearly sensitive personal data. The law demands this type of information is handled with particular care following clear rules, and put simply, this did not happen.”

The investigation found that this was not the first mistake of this type that the Trust had made. “It is clear that this breach caused a great deal of upset to the people affected. The clinic served a small area of London, and we know that people recognised other names on the list, and feared their own name would be recognised too. That our investigation found this wasn't the first mistake of this type by the Trust only adds to what was a serious breach of the law,” Graham said.

The ICO found that in March 2010, a member of the pharmacy staff had sent a questionnaire to 17 patients regarding their HIV treatment, putting all the email addresses in the ‘to' field. The hospital moved to institute some remedial measures but no training was implemented for staff.

Following this latest incident, the Chelsea and Westminster Hospital NHS Foundation Trust, which operates the clinic, has put into place “substantial remedial work”, according to Graham.

Richard Anstey, chief technology officer EMEA at Intralinks, told that a study by Intralinks and the Ponemon Institute had found that 61 percent of respondents had accidentally shared files with unauthorised people.

“Organisations dealing with sensitive information need to consider how to contain bad practices,” Anstey said.

“One key factor here is education: training staff on procedures and protocols. However, training alone is not enough as humans are prone to making mistakes. Instead, organisations should combine education with technology to help cope with the accidental loss of data,” he said.

“Any organisation handling sensitive data should take note of today's £180k fine and consider ways to combine technology with education in order to keep data safe.” 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.