London's 56 Dean Street, one of Europe's busiest sexual health clinics, says it accidentally disclosed the HIV status of 780 patients this week in an email snafu that has activists and advocates fuming.
The e-mail addresses and names of subscribers to a monthly e-newsletter were visible to everyone who received it, leading many to conclude the recipients were HIV-positive.
Staff tried to recall the email immediately, but the damage was already done. Newsletter recipients were notified that the clinic would like to recall the email, prompting many to actively search it out after previously ignoring it. A later email apologized for the breach of patient privacy.
"My boyfriend saw the email that says the person would like to recall the message," one patient told BuzzFeed News. "That never works; it just draws attention to it. And so he saw that and that made him go and look for the original message. Then they sent another email that said, ‘We’re very sorry we sent this email, please delete it immediately,’ which is a bit demanding of them. People will delete an email if they want to delete it."
The newsletter is sent to patients who have signed up for the clinic's Option E service, which allows people to schedule appointments and receive test results via email. Instead of hiding all recipient email addresses, the newsletter accidentally listed all recipients names and email addresses in the "To" field, where they could be seen by everyone.
"I was outraged," the patient told BuzzFeed. "I thought it was disgusting that I was seeing a massive list of their patients. It’s not difficult to deduce the HIV status of every single one of those people. So I have their full names, their email address. I could easily put any of those details into Facebook and bring up pictures and personal details. There were people on there I recognized. It made me uncomfortable for them and for myself that I’m finding out information that they may not have wanted me to know."
Dr. Alan McOwan, Chelsea and Westminster hospital director for sexual health through the National Health Service trust, said the responsible employee was "distraught" and called it a "human mistake" in his apology to patients. He stressed that all recipients were not necessarily HIV-positive.
"I’m writing to apologise to you," McOwan wrote. "This morning at around 11.30am we sent you the latest edition of Option E newsletter. This is normally sent to individuals on an individual basis, but unfortunately we sent out today’s email to a group of email addresses. We apologise for this error. We recalled/deleted the email as soon as we realised what had happened. If it is still in your inbox please delete it immediately. Clearly this is completely unacceptable. We are urgently investigating how this has happened and I promise you that we will take steps to ensure it never happens again. We will send you the outcome of the investigation."
The NHS has also announced it will investigate the incident, according to U.K. newspaper The Guardian. Health Secretary Jeremy Hunt told reporters that the security of patient health and treatment records is a high priority for the NHS.
"Nothing matters more to us than our own health, but we must also understand that for NHS patients nothing matters more to them than confidence that the NHS will look after their own personal medical data with the highest standards of security," Hunt said. "The truth is the NHS have not won the public’s trust in our ability to do this, as today’s completely unacceptable data breach at the Dean Street surgery demonstrates."