In an email blunder 56 Dean Street have revealed the HIV status of nearly 800 of its patients – one of whom has contacted beyondpositive.
Yesterday afternoon (12:46 September 1 2015) 56 Dean Street a GUM and HIV clinic, part of Chelsea and Westminster NHS Foundation Trust, sent out a newsletter to its HIV positive patients. The problem? They left every one of the 780 patients’ contact details in the ‘To’ field. This means everyone who received this email now has contact details (name and email address) for the clinic’s 779 other HIV positive patients.
The clinic then, at 13:05, attempted to use Microsoft Outlook’s ‘recall’ feature – which only compounded the situation by sending out the full list of email addresses and names a second time. At 14:27 the patients received a third email, this time sent correctly (albeit with typos), with an apology from Dr Alan McOwan, stating that they were “urgently investigating” how the blunder happened and promised to send the patients the outcome of said investigation.
One patient who contacted beyondpositive, on an anonymous basis, let us know of the data leak and his disappointment in the way the trust has handled his sensitive personal data.
“56 Dean Street have a service called Option E – that’s for patients who prefer to book appointments and get results via email. They send a regular email newsletter to their patients, keeping them updated.
However, yesterday (Tuesday 1 Sept), instead of putting a batch of several hundred or so email addresses in the BCC box, they put them in the to box, thereby revealing the people’s full names and email addresses to every other recipient; and, of course, because they’re all Option E customers, we also now know their HIV status.”
“This is serious breach of data protection. There are several names I recognise from the list, and while I am of course being discreet, I am not sure I trust every other person on the list to do the same.”
As our reader mentioned, whilst most people on the list will hopefully delete the email and be discreet about the matter our of respect for their fellow HIV positive patients this is far from guaranteed. The repercussions of this breach could be highly damaging for many people.
Many people have issues around disclosure and trusting clinicians, and this is sure to do nothing to allay those fears.
We have reached out to Chelsea and Westminster NHS Foundation Trust for comment, but had not heard back at time of publication. We will update this article should we hear from them.
UPDATE: Statement from Chelsea and Westminster NHS Foundation Trust, in its entirety, below:
“We can confirm that due to an administrative error, a newsletter about services at 56 Dean Street was sent to an email group rather than individual recipients. We have immediately contacted all the email recipients to inform them of the error and apologise. Any concerned patients can call 020 3315 9555 and 020 3315 9594 (open until 6pm tonight).
Alternatively patients can ring the Telephone Clinic on 020 3315 9500
Unfortunately the Trust declined to reply to our comments on whether they will be providing counselling for patients affected in the breach, what the Trust will be doing to rebuild the trust between patients and the clinic, or whether they will be self-referring to the Information Commissioner’s Officer.
Were you caught up in this data breach? Have your details been leaked? If so how do you feel about the situation? Leave a comment below, or email us on firstname.lastname@example.org