NHS service accidentally reveals identities of HIV patients in email blunder

Graham Cluley

NHS service accidentally reveals identities of HIV patients

NHS service accidentally reveals identities of HIV patients

An NHS health board has found itself in the awkward position of apologising to 37 patients, after accidentally disclosing their identities.

An email sent by NHS Highland invited people with HIV to a support group run by Raigmore Hospital’s sexual health clinic in Inverness, Scotland. But rather than blind carbon copying (Bcc’ing) the sensitive email’s recipients, all addresses were included in the email’s Cc: field.

Ironically the email invitation promised to “respect anonymity” and to “never identify members present” at the meeting.

One exposed patient described to Scottish TV how he felt when he realised what had happened:

“I know it stems from a genuine mistake but anonymity and confidentiality are so important. I scrolled the list and saw names clearly in some of those addresses, mine included.”

“You feel physically sick, people you know, people you might have been with over the years and it sets off all those dark thoughts you had just after diagnosis.”

A spokesperson for the health board apologised to the email’s recipients:

“NHS Highland deeply regrets that this breach of confidentiality has happened and we have contacted patients individually to apologise. As per normal procedure, a formal internal review is being conducted to understand how this has happened and to consider any steps to avoid this happening in future.”

Nathan Sparling, chief executive of charity HIV Scotland, told BBC News welcomed NHS Highland’s investigation, but said that the breach was “unacceptable”:

“Confidentiality is of paramount importance when it comes to people living with HIV, and the decision to disclose their status should be theirs and theirs alone.”

Sadly this isn’t the first time that HIV patients have suffered at the hands of a careless privacy breach.

A few years ago, a sexual health clinic in Soho, London, managed to disclose the names and email addresses of approximately 780 people, most of whom had HIV.

Email blunder
Email sent by 56 Dean Street clinic. Image source: The Guardian

The trust that ran London’s 56 Dean Street clinic were subsequently hit with a £180,000 fine.

And it’s not just health services, of course, who make these kind of email blunders.

Earlier this month I described how the Dutch Data Protection Authority had found itself in the ironic position of reporting itself for a data protection failure after making the same kind of mistake via email.

You can hear more about that incident, and other organisations who have made similar boo-boos, and how they might be stopped, in this episode of the “Smashing Security” podcast:

Smashing Security #130: 'Doctored videos, BCC blunders, and a diva'

Listen on Apple Podcasts | Google Podcasts | Other... | RSS
More episodes...

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.
Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET EMAIL UPDATES