The information lawyer acting for patients affected by the data breach welcomed today’s announcement that the Information Commissioner has fined the Chelsea and Westminster Hospital NHS Foundation Trust £180,000 for breaching the Data Protection Act by revealing the names and email addresses of over 700 patients using its 56 Dean Street Clinic.
On 1st September 2015, the Soho-based sexual health clinic operated by the Chelsea and Westminster Hospital NHS Foundation Trust, sent a newsletter by email to patients with HIV who had subscribed to its email service for receiving test results and making appointments.
Unfortunately, the newsletter was sent by way of a group email with the names and email addresses of the recipients entered into the ‘to’ field rather than the ‘bcc’ field as had been intended. As a result, those receiving the email could see the names and email addresses of the other recipients.
Sean Humber, is currently acting for over 20 of the patients affected by the disclosure in ongoing claims for compensation for the distress and losses suffered as a result of the Trust’s failure to have appropriate IT systems or training in place to prevent the accidental disclosure of their private and sensitive information.
Sean Humber stated:
“While I have acted in a succession of claims for patients relating to the unauthorised disclosure of confidential medical information over the last 20 years, this disclosure is by far the most serious, both in terms of the number of people affected and the extremely sensitive nature of the information disclosed.
“The Information Commissioner has rightly recognised that the breach has caused a great deal of upset to the people affected. This is reflected in the heavy fine.
“What makes the incident even more unacceptable is that the Trust failed to learn the lessons from a similar smaller-scale incident, also investigated by the Information Commissioner, that occurred in 2010. Had the Trust taken the necessary remedial measures then, it is likely that this later more serious breach would not have occurred.”