Dean Street clinic hit with £180,000 fine after leaking list of HIV patients

PinkNews logo on a pink background surrounded by illustrated line drawings of a rainbow, pride flag, unicorn and more.

A London NHS Trust has been hit with an £180,000 fine after 800 people had their HIV status exposed via email.

56 Dean Street made the slip last year when it sent an email newsletter to patients at its HIV clinic – but failed to prevent recipients from seeing eachothers’ details -revealing the names and email addresses of 780 people. A small number of people who received the newsletter did not have HIV.

Health Secretary Jeremy Hunt slammed as “completely unacceptable”, and this week Chelsea and Westminster Hospital NHS Foundation Trust, which runs the clinic, was fined £180,000 over the data breach.

The Information Commissioner’s Office found the mix-up constituted a serious breach of the Data Protection Act, which was likely to have caused substantial distress.

Information Commissioner Christopher Graham said: “People’s use of a specialist service at a sexual health clinic is clearly sensitive personal data. The law demands this type of information is handled with particular care following clear rules, and put simply, this did not happen.

“It is clear that this breach caused a great deal of upset to the people affected.

“The clinic served a small area of London, and we know that people recognised other names on the list, and feared their own name would be recognised too.

“That our investigation found this wasn’t the first mistake of this type by the Trust only adds to what was a serious breach of the law.”

According to the ICO, the trust had previously made a similar error in March 2010, when a member of staff in the pharmacy department sent a questionnaire to 17 patients in relation to their HIV treatment, entering emails in the ‘to’ field instead of the ‘bcc’ field.

Mr Graham added: ““The Trust was quick to apologise for their mistake, and has undertaken substantial remedial work since the breach.

“Nevertheless, it is crucial that the senior managers at NHS Trusts understand the requirements of data protection law, and the serious consequences that follow when that law is broken.”

Dean Street said: “The immediate safeguards we have put in place at Dean Street have included deleting the original email distribution list, limiting the opportunity of group email distribution, making the Option E Newsletter available only from the public website and, where group email is required, putting a two hour delay on recipients receiving group emails.”

Sean Humber from law firm Leigh Day, who is currently acting for over 20 of the patients affected, said: “While I have acted in a succession of claims for patients relating to the unauthorised disclosure of confidential medical information over the last 20 years, this disclosure is by far the most serious, both in terms of the number of people affected and the extremely sensitive nature of the information disclosed.

“The Information Commissioner has rightly recognised that the breach has caused a great deal of upset to the people affected. This is reflected in the heavy fine.

“What makes the incident even more unacceptable is that the Trust failed to learn the lessons from a similar smaller-scale incident, also investigated by the Information Commissioner, that occurred in 2010.

“Had the Trust taken the necessary remedial measures then, it is likely that this later more serious breach would not have occurred.”