London clinic accidentally reveals HIV status of 780 patients
One of Britain’s leading sexual health clinics has apologised after mistakenly revealing the HIV positive status of nearly 800 patients.
The 56 Dean Street clinic in London sent a newsletter on Tuesday that disclosed the names and email addresses of about 780 HIV patients.
The clinic, which is run by the Chelsea and Westminster NHS trust, apologised shortly after sending the email and on Wednesday pledged to investigate how the breach occurred.
Britain’s data protection watchdog is likely to launch an investigation into the privacy breach, thought to be one of the biggest of its kind.
Elliot Herman, 38, from London, said the email contained the names of friends who had never disclosed their HIV status to him before.
“It’s not difficult to put those names into Facebook and bring up their profiles and personal details,” he said. “If my details were on that list I would feel angry and disappointed at the clinic for having such a shit system that this can happen.”
The newsletter was sent to about 780 patients who have received treatment for HIV and signed up to its Option E service, which lets people book appointments and receive test results by email. Instead of hiding the personal details of those on its recipient list, it included their full names and email addresses.
Within hours of the breach, the clinic set up a helpline and sent patients an email apology from Dr Alan McOwan, Chelsea and Westminster hospital NHS trust’s director for sexual health.
It said: “I’m writing to apologise to you. This morning at around 11.30am we sent you the latest edition of OptionE newsletter.
This is normally sent to individuals on an individual basis but unfortunately we sent out today’s email to a group of email addresses. We apologise for this error.
“We recalled/deleted the email as soon as we realised what had happened. If it is still in your inbox please delete it immediately.
Clearly this is completely unacceptable. We are urgently investigating how this has happened and I promise you that we will take steps to ensure it never happens again. We will send you the outcome of the investigation.”
A 56 Dean Street spokesman said the breach was down to a “human mistake” and that the employee responsible was distraught.
The Information Commissioner’s Office (ICO) said it was aware of the incident and was making inquiries. The privacy watchdog can levy fines of up to £500,000 for significant data breaches.
Herman, whose friends’ HIV status was exposed in the email, has complained about the breach to the NHS patient advice and liaison service.
“This is serious breach of data protection. There are several names I recognise from the list, and while I am of course being discreet, I am not sure I trust every other person on the list to do the same,” he wrote in the complaint.
He added: “I feel bad making this complaint, because I have a great deal of respect and admiration for the excellent service provided by the clinic and my own doctor, Alan McOwan, who has always provided superb clinical care. I have never had cause to complain in the past. However, I feel this is important enough to bring to official attention.”
56 Dean Street, based in Soho, central London, bills itself as Europe’s busiest sexual health, contraception and HIV care clinic. In 2011, the clinic set the world record for the most HIV tests performed in one location, at G-A-Y bar in Soho on World Aids Day.
Last year, it claimed to be the first clinic in the world to have an on-site Infinity machine, allowing it to give HIV test results within six hours.
The clinic has set up a helpline for patients affected by the breach on 020 3315 9555 or 020 3315 9594. The Guardian (UK)
