Last year in September, a sexual health clinic based in Soho, London, revealed almost 800 of their patients’ private information to each other by mistake – i.e. the other patients – when an email was sent to the list of people where the names and addresses for the other recipients were not hidden.
This has resulted in one of the biggest data breaches in the history of the NHS, and has led to us fighting for the rights of numerous people who have been affected by the breach.
The clinic works with intimate and sensitive private information as many of their patients have conditions like HIV. The clinic, managed by the Chelsea and Westminster Hospital NHS Foundation Trust, offered a convenient and quick online service for booking appointments and receiving test results, known as Option-E. Those who had signed up for this service also received a generic newsletter every once in a while, and this eventually led to the breach.
On the 1st of September 2015, patients opened one of these electronic newsletters from the NHS managed clinic, and were horrified to find that their private email addresses were visible; and so were every other recipients’ as well.
The clinic had mistakenly sent the newsletter with all the recipients’ addresses exposed in the ‘to’ section, rather than using the ‘blind cc’ method, or a proper systemised method that would hide the names and addresses.
Naturally, many patients were distraught to see other patients’ full email addresses, with many of them including names as well. Since the clinic was based in a small Soho area, some clients were speechless when they recognised names of people they knew whom they had not been aware were also HIV sufferers, or were undergoing testing. Of course, as they could see other people’s information, the people they knew could also see theirs.
Technology for communication is so popular nowadays that mistakes could prove to be severe, as we have seen in the 56 Dean Street Clinic case here. Many of the patients were devastated and hugely distressed to have their private information leaked out by the NHS. Some patients had spoken of the ‘second to none’ quality care provided at the clinic, which has been sadly clouded as a result of the breach.
The clinic has apologised, but the damage is already done. The information is now out there, and all people can do is seek justice by way of a Data Protection Act claim, which is what we are helping people with.
As we have said in the past, we absolutely do not share the media opinion that this was just some “human error” and we really feel sorry for the staff involved. The issue here is systemic – there is technology that is easily and readily available that could have prevented this from happening, and with the nature of the information we’re talking about here, we are very surprised that it wasn’t used in the first place.
Big and sensitive data must be handled very intelligently.