The Information Commissioner’s Office is looking into an “incident” involving the innovative 56 Dean Street clinic in London’s Soho, which has accidentally disclosed the HIV status of 800 patients.
The clinic, which is run by Chelsea and Westminster NHS Trust, sent out a newsletter on Tuesday that revealed the names and addresses of the patients, in what it has described as an “unacceptable” error.
It has promised a full investigation, and to report the results to patients. In a tweet, the ICO said that it was aware of the incident and making enquiries.
The ICO can fine public bodies, including NHS trusts, up to £500,000 for major data breaches that cause significant harm.
56 Dean Street describes itself as a “friendly, convenient and free NHS sexual health service in the heart of London” and offers walk-up emergency appointments and contraceptive services.
It is supported by Dean Street Express, an almost completely automated sexual health testing clinic, which last year was the overall winner in the EHI Awards 2014.
The two services are hugely popular with users, and have been receiving support on social media despite the data breach.
Twitter user Ryan Nelson tweeted: “Yes, @56deanstreet have made an absolutely massive error, but they do incredible, valuable, necessary work – let’s remember that as well.”
And Lisa Power tweeted: “Commiserations to the @56deanstreet patients involved, but also the clinic – nobody meant to do this, they must feel awful.”
The Guardian reports that the newsletter was sent to patients who have received treatment for HIV and signed up to the Option E service, which lets them book appointments and receive test results by email.
Instead of hiding the personal details of those on the recipient list, it included full names and email addresses.
The ‘beyondpositive’ website further reports that the clinic attempted to use Microsoft Outlook’s ‘recall’ feature, but only made the problem worse by sending out the full list of details a second time.
The clinic has set up a helpline and sent patients a further email, with an apology from Dr Alan McOwan, the trust’s director for sexual health.
“Clearly, this is completely unacceptable,” he wrote. “We are urgently investigating how this has happened, and I promise you that we will take steps to ensure it never happens again. We will send you the outcome of the investigation.”
The trust has issued a formal statement to press, saying: “We can confirm that due to an administrative error a newsletter about services at 56 Dean Street was sent to an email group rather than individual recipients.
"We immediately contacted all the email recipients to inform them of the error and apologise. Any concerned patients can call 020 3315 9555 and 020 3315 9594 (open until 6pm tonight)."
To date, the biggest fine paid by an NHS organisation to the ICO was £260,000. This was paid by Brighton and Sussex University Hospitals NHS Trust, after a contractor sold old hard drives containing patient information on eBay. The trust had initially been fined £325,000.