The Information Commissioner’s Office (ICO) have fined Chelsea and Westminster Hospital NHS Foundation Trust £180,000 after it revealed the email addresses of 781 users of an HIV service.
Patients using the HIV service were sent a newsletter which mistakenly included all recipients email addresses in the ‘to’ field instead of the 'bcc' field. 730 of the email addresses displayed contained full names. The ICO found that this amounted to a serious breach of the Data Protection Act 1998 and that it was likely to cause substantial distress as recipients of the e-mails could infer the HIV status of the other recipients. In addition to the information being confidential sensitive personal data, the ICO was conscious that, due to the small geographical area the Trust serviced, the individuals may well have known each other.
The Trust had made a similar mistake in 2010 and, although some steps were taken then to prevent reoccurrence, the ICO found that no specific training had been implemented following that breach.
Employers should ensure that they have adequate training in place on data protection obligations and staff should be reminded of the care that needs to be taken when sending group emails, particularly, when this may reveal sensitive information about those involved such as their health.