The accidental disclosure of the names and email addresses of 780 people who had attended a HIV clinic in London highlights some key lessons for organisations which process sensitive personal data and serves as a warning as to just how easily human error can land an organisation in the midst of a high profile data breach.
Earlier this month the 56 Dean Street sexual health clinic in London sent a HIV related newsletter to 780 patients who had attended the clinic, mistakenly including the names and email addresses in the ‘CC’ address bar of the email, rather than anonymously in the ‘BCC’ address bar. The result was that rather than being blind copied, the names and email addresses of all of the recipients were visible to all.
The mistake was quickly realised and the clinic, which is run by the Chelsea and Westminster NHS Trust, tried to reverse its error by recalling the email, but the damage had already been done. Within hours of the breach the clinic issued an apology and set up a helpline to help affected patients. It has also pledged to investigate the breach and has temporarily suspended all mass emails.
Health secretary Jeremy Hunt has described the breach as “completely unacceptable” and as a result of it has reportedly ordered an inquiry into how the NHS handles confidential medical information. As part of this inquiry the Care Quality Commission is to conduct a review of the effectiveness of existing data security measures in the NHS and make recommendations for changes and will also look into how the NHS can improve its defences against cyber-attacks.
Potential Implications
This is an extremely high profile data breach with potentially life altering consequences for the patients involved. An individual’s status as HIV positive is classed as ‘sensitive personal data’ for the purposes of the Data Protection Act 1998 (‘DPA’) and its disclosure in these circumstances almost certainly amounts to a breach by the Trust of its obligations under the DPA. The Information Commissioner’s Office (‘ICO’), the body which regulates data protection in the UK, currently has the power to impose monetary penalties of up to £500,000 for data breaches. In a tweet sent shortly after the incident the ICO stated that they were “aware of the incident regarding the 56 Dean Street clinic and are making enquiries”.
It is also possible that patients whose information was disclosed will take direct action against the NHS Trust though the courts, seeking compensation for the damage they have suffered. This may take the form of actions for breach of the duty of confidence owed by the clinic to each of its patients and it has also been suggested that the disclosure of the information could constitute a breach of the patient’s human rights, namely their right to privacy under Article 8 of the European Convention on Human Rights.
Lessons to be learnt
Although not always headline grabbing, data breaches of this kind are not unusual and according to ICO statistics the healthcare sector reported the most data breaches of any sector in 2014. The incident at the 56 Dean Street clinic demonstrates just how easily a single human error can lead to a high profile data breach with serious consequences for all involved. In today’s fast paced working environment where sending emails to multiple recipients is quick and easy, many will have inadvertently sent an email to an unintended recipient. While the risk of such mistakes cannot be ruled out entirely, all organisations, and particularly those which process sensitive personal data, should be doing as much as much as possible to implement appropriate measures to guard against data breaches.
In reviewing current policies and procedures organisations should in particular be mindful of the likely changes to data breach notification requirements and the new sanctions for data breaches set to be introduced by the General Data Protection Regulation, which is currently making its way through the legislative process in Europe. Whilst the final text of the Regulation is yet to be finalised, what is clear is that the Regulation will introduce significantly higher fines for data breaches, with the highest amount proposed currently standing at EUR 100 million or 5% of the annual worldwide turnover. The Regulation is also set to introduce a system whereby it will be mandatory to notify the ICO of data breaches within a set time after the breach occurs, which under the current proposals could be within as short a period as 24 hours and it will also be mandatory to notify data subjects affected by the breach in certain circumstances.
With the new General Data Protection Regulation on the horizon, it is more important than ever for organisations to take steps to mitigate the risk of data breaches. Training of staff on appropriate email practices should be a priority to help to embed a culture of following information security procedures as business as usual. Organisations should also consider investing in technological measures to mitigate data breaches caused by human error such as systems which scan emails for sensitive content before sending. It is also imperative that organisations ensure that they have agile procedures in place to be able to react to a data breach quickly, satisfy any mandatory notification requirements (once these are introduced) and minimise the harm to individuals whose data has been compromised.
