NHS condemned for outing HIV service users in ‘distressing’ data breach: ‘Simply no excuse’

Laptop with data leak, red ribbon surrounds it

An NHS health board has been reprimanded for a “serious” data breach involving 37 people who access their HIV services. 

NHS Highland, which covers Argyll & Bute, and Highland, in Scotland, has been blasted by the Information Commissioner’s Office (ICO) in a formal reprimand. 

The ICO, the UK’s independent body set up to regulate information rights, has called for serious improvements to be made to data protection safeguards within HIV services.  

The reprimand comes after NHS Highland used CC (carbon copy) instead of BCC (blind carbon copy) in an email sent on 13 June, 2019 to 37 people using its HIV services. 

NHS Highland’s error meant recipients of the email were able to see the personal email addresses of other people the message was intended for, with one individual recognising four names – one of which was a previous sexual partner.

In the reprimand, the ICO said exposing the individuals’ email addresses was “likely to be distressing and/or damaging”, both in relation to their personal details being shared – including potential HIV status – and “their confidence in the service provided”. 

You may like to watch

The information commissioner observed NHS Highland had breached three articles of the General Data Protection Regulation. 

It was concluded that BCC “was not the most secure way to manage communications and other methods could have been adopted”, with a “lack of technical and organisational measures” in place to prevent the disclosure.

“In this incident, the sensitivity of the email addresses should have been considered when the arrangement was made to forward emails on behalf of [REDACTED] due to the inference that could be made regarding access to HIV services and HIV status,” the ICO added. 

A ‘crucial learning experience’

It was noted that remedial steps were taken by the health board to address the impact of the breach and prevent it happening again, including no longer sending group emails to patients. 

The ICO applied its public-sector approach, which includes the use of warnings, reprimands and enforcement notices, rather than issuing a £35,000 fine to the health board, but said there is “simply no excuse” for the mistake. 

Stephen Bonner, the ICO’s deputy commissioner – regulatory supervision, said this case shows a “serious breach of trust” for those accessing “vital services” and they have been “failed”. 

”The stakes are just too high. Research shows that people living with HIV have experienced stigma or discrimination due to their status, which means organisations dealing with this type of information should take the utmost care with their personal data,” he said.

“HIV service providers must set the highest standard for themselves and their service users.” 

The deputy commissioner said every HIV service provider in the country should look at this case and see it as a crucial learning experience. 

“We are calling on organisations to raise their data protection standards and put the appropriate measures in place to keep people safe,” he added. 

According to ICO data, organisations using BCC incorrectly is one of the top 10 non-cyber breaches, with almost 1,000 cases reported since 2019.

A spokesperson for NHS Highland told PinkNews: “NHS Highland is sorry that this breach of confidentiality has happened. We acknowledge and accept the findings of the information commissioner and are doing all we can to prevent a repetition of this incident.

“Since this incident, NHS Highland has changed email domain as part of a national roll out. We continue to work closely with domain providers to examine options to prevent similar events happening in the future and to ensure we are adhering to the recommendations of the information commissioner.

“We would take this opportunity to again apologise – unreservedly – to everyone who was affected.”