The month of September got off to a shaky start for London’s 56 Dean Street HIV clinic, after revealing the identities of many hundreds of HIV-positive patients within a group email.
In a major breach of personal data, consisting of approximately 780 people, patients who were supposed to be blind-copied into a clinic e-newsletter had their details copied into a group email, revealing names and addresses of other patients. Those who received this group email had opted into the clinic’s OptionE service, allowing them to book appointments and receive test results by email.
A spokesperson for Chelsea and Westminster Hospital, which runs the clinic, confirmed that the clinic’s director had apologised for the breach “within an hour” of the incident on Tuesday 1st September, and that “the hospital is leading a review to find out how this happened and make sure it doesn’t happen again”. Following the admission from the clinic that the breach was down to a member of staff’s “human error” another apology was also later issued from the medical director of the clinic saying it was “too early” to say what or if any action would be taken against the member of staff in question.
Breaches like these can easily be avoided with the use of a data classification solution, meaning it is almost impossible to send sensitive information to those who are not meant to see it, which in this case could have protected the highly sensitive information of almost 800 patients.