Support network fined for mistakenly revealing names of HIV patients

The Information Commissioner’s Office has fined a patient support network for inadvertently revealing the identities of HIV patients through an email error.

It was the second incident of its type at the Bloomsbury Patient Network in three months.

The ICO only imposed a £250 monetary penalty because the network is an unincorporated association.

However, the watchdog added that the serious nature of the breach meant most companies would have received a much larger fine.

The latest incident happened when the network sent out a newsletter via email using a list of email addresses in the ‘to’ field rather than the ‘bcc’ field to 200 patients.

On receiving the email the recipients on the list could see all the individual email addresses. Many of them contained people’s names which resulted in 56 patients’ full or partial names being revealed, the ICO monetary penalty notice said.

Steve Eckersley, Head of Enforcement at the ICO, said: “Our investigation uncovered initial problems at the Bloomsbury Patient Network back in February that weren’t reported to us. They were going to provide training for staff and start using a system that sends separate emails to users. It seems the second incident occurred, before they had time to put these measures in place so we had to act.”

He added: “The trustees of Bloomsbury Patient Network are individually liable to pay any monetary penalty which is why the fine is much smaller than usual. But it’s important to warn others that this type of sensitive data can cause huge amounts of distress for the people involved. We need to send a clear message - no matter how small your organisation, you must make sure staff and volunteers are trained to protect personal data.”