A leading London sexual health clinic has been fined £180,000 after it mistakenly revealed the identities of almost 800 patients who had used its HIV service in a group email last year.
56 Dean Street sent out its monthly e-newsletter to 781patients on 1 September – but failed to hide the identities of recipients, thereby revealing the fact everyone included may be HIV positive.
A patient at the clinic, who spoke to BuzzFeed News shortly after he received the email, said he was "outraged" at the mistake. “I thought it was disgusting that I was seeing a massive list of their patients."
Christopher Graham, of the Information Commissioner's Office (ICO), said on Monday the email was a "serious breach of the law".
"People's use of a specialist service at a sexual health clinic is clearly sensitive personal data," he said. "The law demands this type of information is handled with particular care following clear rules, and put simply, this did not happen.
“It is clear that this breach caused a great deal of upset to the people affected."
In a statement, the ICO said the clinic would be fined £180,000, payable by 3 June. The clinic will get a reduction of 20% (to £144,000) should it pay by 2 June.
A spokesperson at the Chelsea and Westminster Hospital NHS Foundation Trust, under which 56 Dean Street operates, admitted in September last year the email had been an "error".
The clinic stressed not everyone included in the e-newsletter was HIV positive, but admitted that out of 781 recipients, the full names of 730 people were visible.
The ICO also found this was not the first time the clinic had similarly breached patients' confidentiality rights. In March 2010 a staff member in the pharmacy department emailed a questionnaire about its HIV treatment to 17 individuals, including their details in the "to" section rather than "bcc".
Although "remedial measures" were established following the breach, the ICO noted there was no specific training implemented following the 2010 mistake.
"We fully accept the ruling of the ICO for what was a serious breach and we have worked to ensure that it can never happen again," the trust's medical director, Zoe Penn, told the BBC.
"I reiterate my apology to all those that were affected by this incident.
"We have kept in touch with affected individuals, with their consent, to update them on the actions we have and will continue to take in order to prevent others from being put in a similar situation in the future."