The 56 Dean Street clinic in London’s Soho has been fined £180,000 by the Information Commissioner’s Office after an email blunder led to the leak of almost 800 email addresses of patients.
The fine is one of the largest to be imposed on an NHS trust by the ICO, although it falls well short of the £325,000 that Brighton and Sussex University Hospitals NHS Trust received for breaching the Data Protection Act in 2012, after a contractor it paid to destroy hard drives instead sold them on eBay.
ICO Christopher Graham said the size of the fine reflected 56 Dean Street’s “serious breach of the law”, which occurred after an email newsletter about its HIV services was sent out as a group email, with the email addresses of recipients revealed to one another.
“People’s use of a specialist sexual health clinic is clearly sensitive personal data,” Graham added in a statement. “The law demands that this type of information is handled with particular care, following clear rules and, put simply, this did not happen.”
56 Dean Street is an innovative clinic run by Chelsea and Westminster NHS Trust that serves a high-risk community in central London.
The email breach occurred in September 2015, and the trust immediately apologised, set up a helpline for patients, and promised a full investigation. The service initially received considerable support from users on social media.
However, Graham said: “IT is clear that this breach caused a great deal of upset to the people affected.”
He also revealed that it was not the first time the trust had run into this kind of problem, and that a pharmacy employee had emailed a HIV treatment questionnaire to 17 patients in 2010 using the ‘to’ field rather than the ‘bcc’ field.
Graham said this “only adds” to the seriousness of the later breach. The trust’s medical director, Zoe Penn, said it accepted the ICO’s ruling and was working hard to make sure it did not happen again.
“I reiterate my apology to all those who were affected by this incident,” she said. “We have kept in touch with affected individuals, with their consent, to update them on the actions we have taken and will continue to take in order to prevent others from being put in a similar situation in the future.”
The Information Commissioner's Office is able to issue fines of up to £500,000 for breaches of the Data Protection Act that are "serious" and that cause "substantial distress."
The fines are paid into HM Treasury's Consolidated Fund, and are not kept by the ICO. A new information commissioner, Elizabeth Denham, is due to take over this summer.