Identities of hundreds of HIV-positive patients mistakenly released

The clinic in London's Soho sent a newsletter to about 780 patients on a group email
The clinic in London's Soho sent a newsletter to about 780 patients on a group email

An investigation has been launched after an NHS clinic mistakenly revealed the identities of hundreds of HIV-positive patients.

The 56 Dean Street clinic in London's Soho sent a newsletter to about 780 patients on a group email, rather than to individuals.

It contained the names and email addresses of patients who had attended HIV clinics at Dean Street, which is part of the Chelsea and Westminster Hospital NHS Foundation Trust.

A spokesman for the clinic said the mistake on Tuesday was caused by "human error" and an internal investigation had been launched.

The monthly newsletter was sent to patients signed up to the clinic's OptionE service, which lets people book appointments and receive test results by email.

Instead of hiding the personal details of those on its recipient list, it included their full names and email addresses.

The clinic tried to rectify its mistake by using Microsoft Outlook's recall feature.

This was followed by an email apology from Alan McOwan, Chelsea and Westminster Hospital trust's director for sexual health.

It said: "I'm writing to apologise to you. This morning at around 11.30am we sent you the latest edition of OptionE newsletter.

"This is normally sent to individuals on an individual basis but unfortunately we sent out today's email to a group of email addresses. We apologise for this error.

"We recalled/deleted the email as soon as we realised what had happened. If it is still in your inbox please delete it immediately.

"Clearly this is completely unacceptable. We are urgently investigating how this has happened and I promise you that we will take steps to ensure it never happens again. We will send you the outcome of the investigation."

A spokesman for the clinic said it was not accurate to say every patient on the list was HIVpositive.

He added: "We have immediately contacted all the email recipients to inform them of the error and apologise."

Online magazine beyondpositive, which is for people living with or affected by HIV, said it had been contacted by patients affected by the breach.

Editor Tom Hayes said the people on the email list are HIV positive.

He said: "The breach lets 780 people know that the other people on the email list are living with HIV. This is a huge breach of confidentiality."

He said trust between clinics and patients can take a long time to build up.

"One person who contacted us said they were going to transfer their care to another clinic because that trust had gone," he said.

"There may be friends finding out things about other friends because of this."

One patient told the website that because all the recipients were OptionE customers, theirHIV status was now known to other people.

"This is a serious breach of data protection," he said. "There are several names I recognise from the list and, while I am of course being discreet, I am not sure I trust every other person on the list to do the same."

The newsletter contained details of physiotherapy sessions, mindfulness stress reduction courses and new telephone consultation clinics run by the service.

It also outlined a women's health evening and the results of a clinical trial of people living with HIV.

Another patient whose details were exposed by the email said the NHS has "no way of controlling who sees this information now and, in the wrong hands, this list could be dynamite".

He told the Guardian: "OptionE is a service set up for patients who are stable and on long-term HIV treatment. It is designed to make life easier so your results, etc, are sent via email.

"I find it impossible to believe that in this day and age this can happen. I was able to scroll down the list and identify the names of a number of people who I knew, some of whom I was unaware of their status."

The Information Commissioner's Office (ICO), which can levy fines of up to £500,000 for significant data breaches, said on Twitter that it was investigating.

It said: "We are aware of the incident regarding the 56 Dean Street clinic and are making enquiries."

The National Aids Trust said it was "deeply concerned" by the leak.

Chief executive Deborah Gold said: "Confidentiality is crucial to people living with HIV.

"Who people disclose their HIV status to is an extremely personal decision - this type of leak will be very distressing and should not have been possible.

"56 Dean Street is an internationally respected clinic, leading the response to HIV with its innovative approach.

"It's vital that the review of how this happened is quickly completed and lessons are learned to ensure that patient trust can be regained."

She said all HIV clinics should urgently review their processes to make sure this type of leak could not happen.