A specialist HIV treatment centre has been fined £250 by the Information Commissioner’s Office after it revealed the identities of patients through an email error.
In February 2014, a member of staff at the Bloomsbury Patient Network emailed between 60 and 200 patients who were HIV-positive.
The email addresses were entered into the "to" field rather than “bcc” meaning they were visible to everybody who received the email.
The member of staff agreed to be more careful when sending future emails, but was given no formal guidance or training and in May, they repeated the same mistake sending another email to 200 service users.
The ICO said in its report that 56 of the 200 email addresses contained the full or partial names of service users.
Head of enforcement at the ICO, Steve Eckersley said: “our investigation uncovered initial problems at the Bloomsbury Patient Network back in February that weren’t reported to us.
“They were going to provide training for staff and start using a system that sends separate emails to users. It seems the second incident occurred, before they had time to put these measures in place so we had to act.”
The ICO said the low £250 fine is due to the network’s status as an unincorporated association, but the serious nature of the breach means most companies would expect to receive a much larger fine.
“We need to send a clear message – no matter how small your organisation, you must make sure staff and volunteers are trained to protect personal data.”
The Information Commissioner’s Office is also looking into an “incident” involving the 56 Dean Street clinic in London’s Soho, which last year accidentally disclosed the HIV status of 800 patients.
The clinic, which is run by Chelsea and Westminster NHS Trust, sent out a newsletter that revealed the names and addresses of the patients, in what it has described as an “unacceptable” error.