News

Confidentiality breach lands trust with hefty fine

London trust apologises for revealing names of 730 HIV service clients

A London NHS trust has been fined £180,000 for revealing the email addresses of more than 700 users of an HIV service.

Soho sexual health clinic at 56 Dean Street, run by Chelsea and Westminster Hospital NHS Foundation Trust, offers an email service for clients' test results and appointments. It also sent occasional newsletters to users, a small number of whom do not have HIV.

However, an error meant anyone receiving the September newsletter could see the email addresses of all the other recipients – and 730 of the 781 email addresses contained the individuals' full names.

The Information Commissioner's Office (ICO) found there had been a serious breach of the Data Protection Act by Chelsea and Westminster that was 'likely to have caused substantial distress'.

Information commissioner Christopher Graham said people’s use of a specialist service at a sexual health clinic was 'clearly sensitive, personal data'.

'The law demands this type of information is handled with particular care following clear rules, and put simply, this did not happen,' he said.

'It is clear this breach caused a great deal of upset to the people affected: the clinic served a small area of London, and we know that people recognised other names on the list and feared their own name would be recognised too.

'That our investigation found this wasn’t the first mistake of this type by the trust only adds to what was a serious breach of the law.'

An ICO investigation found the trust had made a similar mistake in March 2010, when a member of staff in the pharmacy department sent a questionnaire to 17 patients in relation to their HIV treatment. While some remedial measures were put in place following this incident, no specific training had been implemented.

Chelsea and Westminster trust medical director and Caldicott Guardian Zoe Penn said: 'We fully accept the ruling of the ICO for what was a serious breach and we have worked to ensure that it can never happen again. I reiterate my apology to all those affected.'

Ms Penn said immediate safeguards put in place at 56 Dean Street included:

Deletion of original email distribution list.

Limiting the opportunity of group email distribution.

Making the newsletter available only from the public website.

A two-hour delay in the receipt of group emails.

She added that affected individuals were being kept updated on the action the trust was taking.