An HIV clinic run by Chelsea and Westminster NHS Foundation Trust has been fined £180,000 for accidentally emailing its list of 781 patient’s email addresses, 730 of which contained its patient’s names.
The breach of Data Protection rules at the 56, Dean Street clinic was caused by the emails being sent to the “To” field, rather than the “Bcc” (Blind carbon copy), an error by a member of staff that caused “a great deal of upset”, according to the Information Commissioners Office (ICO) which levied the fine. The ICO investigation revealed that one of the nine complainants claimed they were “extremely worried” that they would “suffer discrimination at work” from having their HIV status revealed. The ICO found a similar, though smaller breach had occurred in 2010, with the clinic sending out 17 emails with the list of recipients.