The UK’s data protection authority, the Information Commissioner’s Office (ICO), may be prompted to investigate a serious breach of privacy involving a London health clinic this week.

The 56 Dean Street Clinic, which is operated by the Chelsea and Westminster NHS Trust and specializes in HIV and other sexual health services, has apologized for the error which revealed (to all 780 recipients) the full names and email addresses of fellow clinic users who had signed up to an email service, which allows them to receive test results and book appointments by email, and to receive the clinic’s newsletter. An internal investigation is underway, but it appears that human error is to blame; instead of “blind” copying recipients to the email bulletin, the sender incorrectly used the “cc” function. Such slip-ups are usually embarrassing for any organisation, but this one is particularly serious because of the highly sensitive nature of the information and the breach of patient privacy.

Patients of the clinic have understandably expressed their concerns:

  • Their full names and email addresses have been circulated.
  • It is possible to identify other people they know from the list and to learn their HIV status.
  • They may not have shared their HIV-positive status with friends and family, but now anyone could find out.
  • Although the email was recalled, there is no way of controlling the further dissemination of the information. The information could be published online at any time.
  • The information could be used against patients (for example, in an employment context).
  • Any legal action taken by the patients, or others, acting on their behalf, could further compromise privacy.

This breach could lead to enforcement action by the ICO and other industry regulators, such as the Care Quality Commission in the health sector. UK Health Secretary Jeremy Hunt has ordered an inquiry into the incident, which he described as “completely unacceptable.” It also draws unwelcome attention to his plans to put NHS patients’ GP records online within 12 months, with hospital records to follow by 2018. It has already been noted that security for patient data must be a key priority for these plans, as the public needs to trust the NHS to properly safeguard health and treatment records online. Security measures to prevent cyber-attacks are necessary, but so is training for staff to learn how to reduce the risks of accidentally disclosing personal data.

Under the Data Protection Act 1998 (DPA), the clinic could face a penalty fine of up to £500,000 for the breach and may be liable to compensate individuals for any damage and distress suffered. The Data Protection Act 1998 does not define this clearly, but according to ICO guidance, “damage” is understood to mean “financial loss or physical harm,” and “distress” can be described as “a level of upset or emotional or mental pain, that goes beyond annoyance or irritation, showing dislike, or a feeling that the processing is morally abhorrent.”

The data subjects involved in this incident will undoubtedly be able to claim that they have suffered, or are likely to suffer, distress. That said, the clinic did take steps to contain the incident and its repercussions. These are noteworthy and, depending on the circumstances and appropriate legal advice, potentially suitable actions to be taken by any organization involved in similar events:

  • Recall/delete the email as soon as possible.
  • Contact recipients to explain the problem.
  • Ask them to delete the original email immediately.
  • Recognize that the error was unacceptable and apologise.
  • Explain that there is an investigation into the incident and that they will be informed of the outcome.
  • Set up a helpline.
  • Provide contact details.