A gender identity clinic in London has said it is investigating “a data security incident” after patient emails were exposed.

The Charing Cross Gender Identity Clinic, which is run by Tavistock and Portman NHS Foundation Trust, sent out an email on 6 September regarding an art project.

Tavistock later said in a statement that “due to an error, the email addresses of some of those we are inviting to participate were not hidden and therefore visible to all”.

Two separate emails were sent, with about 900 people’s emails on each one, BBC News reported.

The trust’s statement added: “We are hugely apologetic and understand that this is a serious data breach.

“We can confirm we are reporting this breach to the Information Commissioner’s Office (ICO) as well as treating it as a serious incident within the Trust.”

The Gender Identity Clinic accept referrals from all over the UK for adults with issues related to gender and involves patients who are transitioning gender or considering doing so.

One of those affected was Shon Faye, who told The Guardian: “It could lead to people being outed to family members or to their communities as being trans, where it may be a risk to them being known to be trans.

“That could be hugely dangerous to their wellbeing and safety.”

The ICO confirmed on social media that it has been made aware of the incident and would “assess the information provided”.

In May 2016, the 56 Dean Street clinic in London’s Soho was fined £180,000 by the ICO after almost 800 email addresses of patients were leaked.