An accidental human error in sending out an email has led to the disclosure of the identities of nearly 800 HIV-positive patients in London. The email contained the full names of 730 people. The Information Commissioner’s Office (ICO) has fined 56 Dean Street, a NHS sexual health clinic £180,000 for this data protection breach.
An employee that sent out the clinic’s monthly newsletter visibly included the email addresses of all the other recipients. Addresses were entered into the “to” field rather than the “bcc” field. Most, but not all, of the recipients of the newsletter were HIV positive.
Elliot Herman, one of the people affected by this unauthorised disclosure of highly sensitive personal information, has spoken out about the impact of having to deal with the fallout from the disclosure. Herman's name was not listed on the email, but his husband's was. At the time Herman gave interviews to several news agencies. Herman explains that his parents were unaware of his sexual orientation and his attendance of the clinic. He had no choice but to tell them about it before they saw this in the media.
This is not the first time that the clinic has made an error with an unauthorised disclosure as a similar error was made in 2010, on that occasion affecting 17 patients. That error involved a questionnaire that was sent on email to patients and similarly, the email addresses of the recipients were entered into the “to” field, rather than the “bcc” field. The ICO investigated the error at the time and the clinic agreed to the implementation of remedial measures but it appears no staff training was implemented.
The clinic has been co-operating with the ICO and has implemented measures to avoid this error from happening in future. The measures include the review of policies and procedures and the introduction of an IT software solution on their emailing system to prevent this kind of mistake in future.
Whilst like in this case, the outcomes of mistakes like these can be life shattering, it’s not hard for human error to creep into email communications especially. Most of us using email have at some point suffered the results of predictive software inserting the wrong recipient name or of pressing ‘reply all’ with a comment designed purely for the sender. Often, the consequences are embarrassing at most. But even here, risk assessments should be made as a matter of course, since what might appear to be an innocuous mistake can have far reaching consequences.
Maybe it’s because we use it so much and it’s such second nature, but many of us don’t think twice any more about using email – how it reaches its destination, how secure it is, how long it sticks around for and so on. Employers have as much responsibility to consider the risks of sending communications by email and other methods as their employees do to abide by the rules and policies that the employer puts in place and provides training and guidance on. It’s not clear what happened to the employee who made the error here. It’s fairly safe to assume that they have not had a happy aftermath experience either.
Businesses should always identify the likely areas where they are at risk of making an unauthorised disclosure and should consider implementing control measures to prevent errors. Examples of steps that you can take include:
1. set up a strategy to eliminate email mistakes for example, using automated IT safeguards (e.g. those ensuring a ‘reply all’ function has a further confirmation step) or sending separate emails to individual users on a distribution list. There are plenty of good customer relationship management solutions available to assist with this, many of them a cost effective rates;
2. implement a prevention strategy such as using checklists, specific procedures and training staff to double check their practices, particularly when handling sensitive data.
The ICO has issued useful guidance on how businesses can prevent a data breach. You can find their guide here.
If you need any assistance with data protection matters, you can always get in touch with us for a friendly chat.
You're on our blog and updates site, which is hosted by elXtr. elXtr is a leading online legal information service owned by us, LHS Solicitors LLP.
Law for the online generation starts here.
"It is clear that this breach has caused a great deal of upset to the people affected," said Christopher Graham, information commissioner. "The clinic served a small area of London, and we know that people recognised other names on the list, and feared their own name would be recognised too."