A leading HIV clinic has accidentally revealed the identities of hundreds of HIV-positive patients in a group email.
In a major breach of personal data around 780 people who attend 56 Dean Street in central London – Europe's busiest sexual health centre – received the email on Tuesday, 1 September.
The e-newsletter, which contains the latest information about HIV services and treatment, is sent out monthly but normally the details of recipients are hidden. Instead the full list of recipients was visible, therefore revealing the fact that everyone in the address bar is HIV-positive. The clinic then sent an email trying to recall the original one, alerting patients to the mistake, before sending a further email apologising.
"I was outraged," a patient at 56 Dean Street, whose boyfriend also received the email, told BuzzFeed News. "I thought it was disgusting that I was seeing a massive list of their patients. It's not difficult to deduce the HIV status of every single one of those people. So I have their full names, their email address. I could easily put any of those details into Facebook and bring up pictures and personal details."
This is the email that was sent to patients:
And this is the recall email sent to patients:
"My boyfriend saw the email that says the person would like to recall the message. That never works; it just draws attention to it. And so he saw that and that made him go and look for the original message. Then they sent another email that said, 'We're very sorry we sent this email, please delete it immediately,' which is a bit demanding of them. People will delete an email if they want to delete it."
The patient, who spoke to BuzzFeed News on the condition of anonymity, was aghast to see the names of people he knew on the email – but whose HIV status he had previously not known.
"There were people on there I recognised. It made me uncomfortable for them and for myself that I'm finding out information that they may not have wanted me to know." Compounding the breach of security was the inclusion of outdated patient details.
"There were people in there who I know to be dead because they were friends of mine," he said, adding that those who received the newsletters had not even requested it, but had signed up for a service called "Option E".
"It [Option E] means you can make appointments and get [blood] test results by email," he explained. "It means you never have to deal with the call centre. None of the people actually asked to be on the email newsletter list, they just started doing [sending] it a few years ago."
As news about the email spread beyond those who had received it, people took to Twitter to express their concern.
The patient, who forwarded screenshots of the email to BuzzFeed News (without the names of recipients), has sent a letter of complaint to Chelsea and Westminster Hospital, which controls 56 Dean Street. He added that hundreds of patients could sue the hospital for the disclosure of such personal data, but he has decided not to take the matter further than a complaint.
"It could be very expensive for the NHS," he said. "For me it's not about the money; I don't want to sue them, I don't want to see them having any financial hardship, I just want them to change the system so they can't do it again."
The patient could not understand how the mistake happened.
"Anyone sensible uses something like MailChimp [an email newsletter service that offers security solutions] so it's not possible to make this kind of mistake. And I think because they're focused on the business of treating their patients and they do that really well, they're not very good with computers. I've worked in the NHS myself. If you ask the IT department to do something it can be such a painful process, because they make everything so difficult, people [staff] just try and do it themselves."
BuzzFeed News contacted the Chelsea and Westminster hospital to ask what they planned to do to ensure such a mistake could not be repeated.
"Erm…that's a good question actually," said Mark Purcell, a spokesperson for the hospital. "I think they [56 Dean Street] are obviously looking very much into this."
Purcell confirmed: "Yes, it was an error. It happened yesterday morning. Each one of the individuals were sent an email but instead of a blind email they got a group email and that's where the mistake happened. I've done it myself actually, but still, in the past."
This is the email apology sent to recipients:
Purcell added: "The clinical director has apologised personally to each and every one of the people concerned."
But the patient who spoke to BuzzFeed News said he had not been contacted.
"When they say 'personally' they mean they sent the email to all 780 people saying sorry. But no, they definitely haven't been in touch. That's not even possible. 780 people? He's suggesting they phoned every single one of them? That's nonsense."
Another patient who received the email and contacted BuzzFeed News also hadn't received a "personal" apology. He too asked to remain anonymous and said he felt "sick" after seeing all the names exposed at the top of the email.
"I would have expected their information governance to be highly secure and watertight," he told BuzzFeed News. "This is a massive breach of security on something which is incredibly sensitive to a lot of people. I'm shocked how this happened, keen to understand why it happened and what they're putting in place to prevent it from happening again."
Both patients were keen to point out how excellent the service at 56 Dean Street normally is. The clinic is widely lauded for not only its patient care, but its innovative services, introducing specialist projects to reach sex workers and drug users.
Chelsea and Westminster Hospital told BuzzFeed News in a statement: "We can confirm that due to an administrative error, a newsletter about services at 56 Dean Street was sent to an email group rather than individual recipients. We have immediately contacted all the email recipients to inform them of the error and apologise. Any concerned patients can call 020 3315 9555 and 020 3315 9594 (open until 6pm tonight).
Alternatively patients can ring the Telephone Clinic on 020 3315 9500
Patrick Strudwick is a LGBT editor for BuzzFeed News and is based in London.
Contact Patrick Strudwick at firstname.lastname@example.org.
Got a confidential tip? Submit it here.