Categories: RegulationSecurity

ICO Fines London NHS Trust For Exposing Patient Details

The Information Commissioner’s Office (ICO) has fined a London NHS trust £180,000 after it exposed the email addresses of more than 700 users of an HIV service.

The service, offered by 56 Dean Street, a sexual health clinic based in Soho, allowed patients with HIV to receive test results and make appointments via email, and also offered an occasional newsletter, with some people without HIV also receiving the newsletter, according to the ICO.

Emails, full names exposed

In September of last year the clinic mistakenly sent the newsletter in such a way that all recipients could see the email addresses of the others, the addresses having wrongly been entered into the “to” field instead of the “bcc” field.

Most of the addresses, 730 out of 781, contained the recipient’s full name, the ICO said.

The ICO said on Monday it found the incident represented a serious breach of the Data Protection Act and was likely to have caused substantial distress, and as a result levied the fine on Chelsea and Westminster Hospital NHS Foundation Trust, which runs the clinic.

The body can impose monetary penalties of up to £500,000 for such breaches. The fine is to be paid into HM Treasury’s Consolidated Fund and not kept by the ICO.

“The law demands this type of information is handled with particular care following clear rules, and put simply, this did not happen,” information commissioner Christopher Graham stated.

He added that the clinic served a small area of London, meaning that people recognised other names on the list and feared their own name would also be recognised.

‘Substantial’ remediation

The ICO found that this wasn’t the trust’s first such breach. In March 2010 a member of staff in its pharmacy department sent a questionnaire to 17 patients in relation to their HIV treatment, exposing the addresses to other recipients in the same way.

Some remedial measures were put in place following this mistake, but no specific training was implemented, the ICO said.

Graham said the trust apologised for the mistake and has now undertaken “substantial” remedial work.

“It is crucial that the senior managers at NHS Trusts understand the requirements of data protection law, and the serious consequences that follow when that law is broken,” he stated.

The regulator’s highest fine to date, for £350,000, was levied against a marketing company after it bombarded people night and day with 46 million automated nuisance calls.

Labour MP David Lammy was fined £5,000 after launching more than 35,000 automated calls over a two-day period in August of last year in support of his Mayor of London election bid.

Are you a security pro? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Mark Zuckerberg Overtakes Bezos To Become Second-Richest Man

Billionaire battle. Meta's boss Mark Zuckerberg overtakes Jeff Bezos to become the world’s second richest…

1 day ago

US, Microsoft Disrupts Russian FSB Hackers

Internet domains used by “Russian intelligence agents and their proxies” for cyberattacks, seized by the…

1 day ago

Mike Lynch Died From Drowning, Coroner Inquest Rules

UK's tech billionaire Dr Mike Lynch died from drowning on his superyacht, but his daughter's…

1 day ago

Tesla Recalls 27,000 Cybertrucks Over Rear Camera Issue

Another recall for thousands of Tesla Cybertrucks over delay with rear camera, with could hamper…

2 days ago

Browser Firms Press EU To Reconsider Microsoft Edge As Gatekeeper

Browser firms write to European Commission alleging Microsoft's Edge web browser enjoys an unfair advantage

2 days ago

Microsoft Invests €4.3 Billion In Italy For AI, Cloud

Data centre and AI spending spree continues over at Microsoft, with Italy earmarked for €4.3…

2 days ago