An HIV support group responsible for inadvertently revealing patient identities via an email blunder has been slapped with a £250 fine by the Information Commissioner's Office.
The Bloomsbury Patient Network sent out a newsletter to 200 patients via email using a list of addresses in the "to" field rather than the "bcc" field.
The recipients could see all the individual email addresses, resulting in 56 patients’ full or partial names being revealed.
Steve Eckersley, head of enforcement at the ICO, said: “The trustees of Bloomsbury Patient Network are individually liable to pay any monetary penalty, which is why the fine is much smaller than usual."
"But, it’s important to warn others that this type of sensitive data can cause huge amounts of distress for the people involved. We need to send a clear message: no matter how small your organisation, you must make sure staff and volunteers are trained to protect personal data,” he added.
This is not the first incident of this type. In September, 56 Dean Street, a sexual health clinic operated as part of Chelsea and Westminster NHS Foundation Trust, emailed the HIV positive status of nearly 800 patients to the entire group. The ICO has said it is investigating the incident.
The ICO added that because of the serious nature of the breach, most companies would expect to receive a much larger fine.
Yesterday the Europe Union introduced strict new data protection rules on companies, who will face a fine of four per cent on their global turnover if they are found in breach of the regulations. ®