NHS Highland reprimand for HIV patient email data breach

LaptopGetty Images

NHS Highland has been reprimanded for a data breach which revealed the personal email addresses of people invited to use HIV services.

The health board used CC (carbon copy) instead of BCC (blind carbon copy) to send an email to 37 people.

The Information Commissioner’s Office (ICO) said the error amounted to a “serious breach of trust”.

The mistake meant all recipients of the email could see the personal addresses of the others receiving it.

One person said they recognised four other individuals, one of whom was a previous sexual partner.

NHS Highland said it was sorry for the breach of confidentiality. The error was made on 13 June 2019.

The ICO issued the reprimand to the health board instead of a £35,000 fine.

It said failure to use BCC is one of the most common email data breaches, with nearly 1,000 reported incidents since 2019.

It called for improvements to be made to data protection safeguards for HIV service providers.

‘Learning experience’

Stephen Bonner, deputy commissioner for regulatory supervision, said: “What we saw here with NHS Highland was a serious breach of trust, and those accessing vital services failed.

“Research shows that people living with HIV have experienced stigma or discrimination due to their status

“Organisations dealing with this type of information should take the utmost care with their personal data.

“Every HIV service provider in the country should look at this case and see it as a crucial learning experience.”

The ICO’s recommendations have been included in NHS Highland’s information governance action plan An update will provided to the ICO in June.

Under data protection laws, organisations have to have technical and organisational systems in place to ensure personal data is kept secure

NHS Highland said: “We acknowledge and accept the findings of the Information Commissioner and are doing all we can to prevent a repetition of this incident. “Since this incident, NHS Highland has changed email domain as part of a national roll out.

“We would take this opportunity to again apologise – unreservedly – to everyone who was affected by this incident.”


Leave a Reply

Skip to toolbar