Information lawyer claims email from HIV clinic revealing names of patients, could breach the data protection and the human rights act, as well as their duty of confidence owed to its patients

A leading human rights lawyer has said that the actions of a leading UK HIV clinic in mistakenly revealing the identities of hundreds of people who had attended HIV clinics at Dean Street, part of the Chelsea and Westminster Hospital NHS Foundation Trust, could result in hundreds of claims against the Trust.

Sean Humber, head of the human rights team at law firm Leigh Day, said that the actions of the clinic is likely to be a breach of the duty of confidence that the clinic owes to its patients in relation to the medical information it holds for them, a breach of data protection in relation to its obligations to hold the information securely and a breach of the patients’ human rights in relation to respect for their private life.

Mr Humber, who has acted in a succession of claims for patients relating to the unauthorised disclosure of confidential medical information over the last 20 years, says that the insurers covering the clinic could now be forced to pay out many thousands of pounds in compensation to those named in the email.

The 56 Dean Street clinic in London's Soho sent a newsletter with around 780 patients named in the ‘To’ section of the email, rather than anonymously in the ‘BCC’ address bar, so instead of hiding the personal details of those on its recipient list, it included their full names and email addresses.

A spokesman for the clinic said the mistake on Tuesday was caused by "human error" and an internal investigation had been launched.

In an email apology, Alan McOwan, Chelsea and Westminster Hospital trust's director for sexual health, said: "I'm writing to apologise to you. This morning at around 11.30am we sent you the latest edition of OptionE newsletter. "This is normally sent to individuals on an individual basis but unfortunately we sent out today's email to a group of email addresses. We apologise for this error.

"We recalled/deleted the email as soon as we realised what had happened. If it is still in your inbox please delete it immediately.

"Clearly this is completely unacceptable. We are urgently investigating how this has happened and I promise you that we will take steps to ensure it never happens again. We will send you the outcome of the investigation.”

Editor of Online magazine beyondpositive, Tom Hayes, which is for people living with or affected by HIV, said it had been contacted by patients affected by the breach. He said the people on the email list are HIV positive adding:

"The breach lets 780 people know that the other people on the email list are living with HIV. This is a huge breach of confidentiality.”

Sean Humber from the human rights team at Leigh Day said: “This extremely unfortunate disclosure of sensitive medical information is clearly unlawful – being a breach of the duty of confidence owed by the clinic to each of its patients, almost certainly a breach of the Data Protection Act by the clinic and would also seem to represent a breach of the patients’ human rights.

“The number one priority must now be for the clinic to take all steps possible to limit the wider disclosure of this information. However, sadly, to the extent the information has already been disclosed, patients are likely to be entitled to substantial compensation for distress and losses caused.”